Test the pxGrid Cloud Identity Source

This topic discusses diagnostics you can perform using the Cisco Security Cloud Control to determine if the identity source is working. Errors might include communication with Cisco ISE, or with the Cisco ISE configuration with Catalyst Cloud Portal.

View the current configuration

To get started:

  1. Log in to Cisco Security Cloud Control as a user with the Super Admin role.

  2. Click Policies > Threat Defense > Integration > Other Integrations > Identity Sources

  3. Click Identity Services Engine (pxGrid Cloud).

Sample configuration status

The following figure shows an example configuration.

The following table has more information about the numbered areas in the figure.

Number

Meaning

1

Overall status

Any errors in the overall status of the Cisco ISE app instances are displayed. In that case, scroll to that instance and either expand the error message or click Test for more information.

2

Active

A green check mark indicates the app is active.

3

Inactive

A dimmed app instance is inactive. You can activate it by selecting the check box next to its name and then clicking Make active.

4

Test button

Click Test to perform diagnostic tests that show more detailed status of the app instance. See the next section for more information.

The following figure shows a sample success message.

The following figure shows an example error result.

The following section provides a reference for the possible errors.

Error code reference

The following information is provided to help you diagnose and solve issues with Cisco ISE, pxGrid Cloud, and the Catalyst Cloud Portal. If these suggestions do not work, or if you have a different issue, contact Cisco TAC.

403 – Forbidden

Verify the Cisco ISE product is not in a Pending or Suspended state in the Catalyst Cloud Portal. If suspended, verify that Cisco ISE is registered as discussed in Enable pxGrid Cloud service in Cisco ISE and register your device.

Additionally, verify pxGrid Cloud services are publicly available.

To verify whether or not your product is active:

  1. Log in to the Catalyst Cloud Portal.

  2. In the Catalyst Cloud Portal, go to > Applications and Products as the following figure shows:

    In the Cisco DNA Portal, go to Applications and Products

  3. Click the Products tab.

    The following figure shows an example of a suspended product.

  4. To correct the issue, in the Actions column, click and click Generate OTP.

  5. Use the OTP as discussed in Create an App Instance.

404 – Not Found

Verify the Cisco ISE server is not directly disconnected from the Cisco ISE dashboard. To properly disconnect Cisco ISE already connected with the app instance, first deactivate Cisco ISE from the app instance and then disconnect the app instance from the Cisco ISE dashboard.

408 – Request Timeout

General connectivity

Check whether there are any general connectivity issues with Cisco ISE and verify pxGrid Cloud connectivity status is Connected in the ISE dashboard under > Administration > pxGrid Services > Client Management > pxGrid Cloud Connection.

The following figure shows an example of a system that is connected.

A green check mark indicates the connection was successful

The following figure shows an example of a system that is not enrolled (meaning, not connected.)

Verify the Cisco ISE server is not directly disconnected from the Cisco ISE dashboard. To properly disconnect Cisco ISE already connected with the app instance, first deactivate Cisco ISE from the app instance and then disconnect the app instance from the Cisco ISE dashboard.

Cluster member not reachable
If a member of the Cisco ISE cluster is not reachable, a page like the following is displayed:

To find what node is not reachable, log in to Cisco ISE primary administration node as an administrator and click click the Menu icon () and choose Administration > System > Deployment, then see Node Status in a Cisco ISE Deployment.

413 – Content Too Large

We recommend you review the pxGrid Cloud API limitations on GitHub. If needed, consider upgrading your Cisco ISE version to fully utilize pxGrid Cloud support.

500 – Internal Server Error

Check that the Cisco ISE server is operational and that pxGrid Cloud services are active (verify MNT, SXP, pxGrid nodes, and so on).

For more information, see Monitoring and debugging in the Cisco pxGrid chapter in the Cisco Identity Services Engine Administrator Guide.