Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
696
Views
0
Helpful
1
Replies

ISE has failed to learned a new SXP mapping from APIC endpoint

RobvdL
Level 1
Level 1

‎05-28-2018 05:20 AM

Hi experts,

I'm trying to integrate ACI and ISE.

To explain my current situation I'll go from access layer towards ACI.

On the access layer a C3650 switch is configured with dot1x. 2 VM's are connected on dedicated switch ports, which can login into an Active Directory. The switch is added to ISE. Also on ISE I've integrated Active Directory, and two AD groups are mapped to security groups.

When user user1 logs into the VM, the switch will give it a tag of 4, when user admin1 is logging in it will receives a tag of 3.

From the switch I have a link towards the ACI fabric for the L3out.

On the APIC I've exported the certificate, and I've imported that certificate into ISE.

On the Trustsec ACI integration side I've filled in all necessary information for ISE to login into the correct Tenant in ACI.

After this is done I can see new security groups in ISE which are the EPG's. And in ACI I can see new networks popping up on the L3out.

So far so good.

I've created an contract in ACI to allow traffic between the VM's in SG 3 and 4 to communicate with the server EPG.

When a user is logging in on the VM, I don't see it's IP address popping up under the networks in ACI.

I've turned on debugging on DeviceTracking and SXP. In the logging I can see the following:

2018-05-28 13:49:24,268 INFO  [PARTIAL_APIC_To_SXP] cisco.cpm.sxp.apic.ApicPublisher:384 - Sending APIC bindings without SGT name to SXP, IP: 10.0.60.5/32 sgtTag:0 EPG name:AP_ADMIN_SERVERS_EPG counter: 3

2018-05-28 13:49:24,269 INFO  [PARTIAL_APIC_To_SXP] cisco.cpm.sxp.apic.ApicPublisher:384 - Sending APIC bindings without SGT name to SXP, IP: 10.0.60.5/32 sgtTag:0 EPG name:AP_ADMIN_SERVERS_EPG counter: 2

2018-05-28 13:49:24,269 WARN  [PARTIAL_APIC_To_SXP] cisco.cpm.sxp.apic.ApicPublisher:405 - ISE has failed to learned a new SXP mapping from APIC endpoint after 20 retries to retrive SGT. dropping mapping, ip:10.0.60.5/32 sgtTag:0 EPG name:AP_ADMIN_SERVERS_EPG

ISE v2.4

ACI v3.1

IOS XE 03.06.08E

Can anyone help me with finding what is causing the problems?

I expect to see server IP's under All SXP mapping but I don't.

0 Helpful
1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee

‎05-28-2018 01:25 PM

I would recommend contacting the tac for in-depth troubleshooting experience and recreate

0 Helpful
Customers Also Viewed These Support Documents