Symptom
1. Queue Link Error alarm constantly generated on ISE dashboard,
2. Health Status and live logs are unavailable when "ISE Messaging Service for UDP Syslogs delivery to MnT" is enabled.
For both cases the following error message is printed in the rabbit-ise.log on all nodes
2019-04-24 13:37:34.178 [warning] Federation exchange 'E-Mesh' in vhost '/' did not connect to exchange 'E-Mesh' in vhost '/' on amqps://:8671
{error,{tls_alert,"unknown ca"}}
Conditions
ISE root CA moved to Intermediate CA role. Specifically, the ISE CA certificate issued by another Root CA.
Workaround
Migrate the certificate used for ISE Messaging from the ISE CA chain back to the Self-Signed root.
Go to CSRs and generate new CSR with the usage ISE Root CA. After new chain is in place errors are no longer observed when the chain is assigned to ISE Messaging Service.
Further Problem Description
