Error Code Reference

Overview

This page documents all error codes across ISE APIs with resolutions.

HTTP Status Codes

HTTP Status Codes

Code Meaning Action

2xx Success

200

OK - Request successful

Parse response body

201

Created - Resource created

Check Location header for new resource URL

204

No Content - Delete successful

No body returned

4xx Client Errors

400

Bad Request - Invalid syntax

Check JSON format, required fields

401

Unauthorized - Auth failed

Verify credentials, check ERS Admin role

403

Forbidden - No permission

User lacks required RBAC permissions

404

Not Found - Resource missing

Verify ID/name, check resource exists

405

Method Not Allowed

Check HTTP method (GET/POST/PUT/DELETE)

409

Conflict - Already exists

Use PUT to update, or DELETE first

415

Unsupported Media Type

Add Content-Type: application/json header

422

Unprocessable Entity

Valid JSON but semantic error (e.g., invalid MAC format)

429

Too Many Requests

Rate limited - wait and retry

5xx Server Errors

500

Internal Server Error

Check ISE logs, retry later

502

Bad Gateway

ISE service issue, check node health

503

Service Unavailable

ISE overloaded or in maintenance

504

Gateway Timeout

Request too slow, increase timeout or paginate

ERS API Errors

Common Error Response

{
  "ERSResponse": {
    "operation": "POST-create",
    "messages": [
      {
        "title": "Error message here",
        "type": "ERROR",
        "code": "Application error code"
      }
    ],
    "link": {
      "rel": "related",
      "href": "https://ise:9060/ers/config/endpoint",
      "type": "application/xml"
    }
  }
}

ERS Error Codes

Code Message Resolution

RESOURCE_NOT_FOUND

Resource not found

Verify ID/name exists, check spelling

DUPLICATE_RESOURCE

Resource already exists

Use PUT to update, or DELETE first

INVALID_INPUT

Invalid input data

Check required fields, data formats

INVALID_MAC_ADDRESS

Invalid MAC address format

Use XX:XX:XX:XX:XX:XX or XX-XX-XX-XX-XX-XX

INVALID_GROUP_ID

Invalid group ID

Verify group exists: netapi ise get-endpoint-groups

CONSTRAINT_VIOLATION

Database constraint violated

Check foreign key references exist

AUTHORIZATION_FAILED

User not authorized

Verify ERS Admin role assigned

INTERNAL_ERROR

Internal server error

Check ISE logs, retry later

Extracting ERS Errors

# Extract error message from response
jq -r '.ERSResponse.messages[0].title // "Unknown error"'

# Full error details
jq '.ERSResponse.messages[]'

OpenAPI v1 Errors

Common Error Response

{
  "response": {
    "code": 400,
    "message": "Error description here"
  },
  "version": "1.0.0"
}

OpenAPI Error Codes

Code Message Resolution

INVALID_POLICY_SET

Policy set not found

Verify policy set ID exists

INVALID_CONDITION

Invalid condition syntax

Check condition format and dictionary references

RULE_CONFLICT

Rule conflicts with existing rule

Check rule rank/priority, remove conflicts

DICTIONARY_NOT_FOUND

Dictionary attribute not found

Verify dictionary and attribute names

INVALID_PROFILE

Authorization profile not found

Create profile first via ERS API

Extracting OpenAPI Errors

# Extract error message
jq -r '.response.message // .message // "Unknown error"'

MnT API Errors

MnT returns XML responses:

<error>
  <code>404</code>
  <message>Session not found</message>
</error>

MnT Error Codes

Code Message Resolution

SESSION_NOT_FOUND

No active session for MAC

Verify endpoint is authenticated

INVALID_MAC

Invalid MAC address format

Use consistent format (colons or dashes)

COA_FAILED

CoA operation failed

Check NAS connectivity, verify session exists

MNT_NOT_AVAILABLE

MnT node unavailable

Check MnT node health, try different node

DataConnect Errors

Oracle JDBC Errors

Code Message Resolution

ORA-01017

Invalid username/password

Verify DataConnect credentials

ORA-12541

No listener

Check port 2484 accessibility

ORA-00942

Table or view does not exist

Check view name, verify DataConnect enabled

ORA-01722

Invalid number

Check data type in query

netapi DataConnect Errors

# Test connection and show detailed error
netapi ise dc test --verbose

pxGrid Errors

Connection Errors

Code Message Resolution

CERT_NOT_APPROVED

Client certificate pending approval

Approve in ISE > pxGrid Services > Clients

CERT_REVOKED

Client certificate revoked

Generate new certificate, re-approve

SERVICE_NOT_AVAILABLE

pxGrid service unavailable

Check pxGrid node health

SUBSCRIPTION_DENIED

Not authorized for topic

Verify pxGrid permissions

Certificate Errors

# Verify certificate validity
openssl x509 -in pxgrid-client.pem -noout -dates

# Check certificate issuer
openssl x509 -in pxgrid-client.pem -noout -issuer

# Verify against CA
openssl verify -CAfile ise-trust-chain.pem pxgrid-client.pem

Error Handling Patterns

Shell Script Pattern

Error Handling

Check HTTP Status

# Capture both body and status code
response=$(curl -sk -w "\n%{http_code}" -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/nonexistent" \
  -H "Accept: application/json")

http_code=$(echo "$response" | tail -1)
body=$(echo "$response" | sed '$d')

if [[ "$http_code" -ge 200 && "$http_code" -lt 300 ]]; then
  echo "Success: $body" | jq .
else
  echo "Error HTTP $http_code:" >&2
  echo "$body" | jq -r '.ERSResponse.messages[0].title // .message // .' >&2
  exit 1
fi

Parse ERS Errors

# Extract ERS error message
jq -r '.ERSResponse.messages[0].title // "Unknown error"'

# Full error details
jq '.ERSResponse.messages[]'

Parse OpenAPI Errors

# Extract OpenAPI error
jq -r '.response.message // .message // "Unknown error"'

Retry Logic

# Retry with exponential backoff
retry_request() {
  local max_attempts=3
  local delay=1

  for ((i=1; i<=max_attempts; i++)); do
    response=$(curl -sk -w "\n%{http_code}" "$@")
    http_code=$(echo "$response" | tail -1)

    if [[ "$http_code" -lt 500 ]]; then
      echo "$response" | sed '$d'
      return 0
    fi

    echo "Attempt $i failed (HTTP $http_code), retrying in ${delay}s..." >&2
    sleep "$delay"
    ((delay*=2))
  done

  echo "All attempts failed" >&2
  return 1
}

netapi Error Handling

# netapi returns non-zero on error
if ! result=$(netapi ise get-endpoint "XX:XX:XX:XX:XX:XX" 2>&1); then
  echo "Error: $result" >&2
  exit 1
fi

# Or use set -e for automatic exit on error
set -e
netapi ise get-endpoint "C8:5B:76:C6:59:62"

Python Pattern

import requests
from requests.auth import HTTPBasicAuth

def ise_api_call(method, endpoint, data=None):
    url = f"https://{ISE_HOST}:9060/ers/config/{endpoint}"
    auth = HTTPBasicAuth(ISE_USER, ISE_PASS)
    headers = {"Accept": "application/json", "Content-Type": "application/json"}

    try:
        response = requests.request(method, url, auth=auth, headers=headers, json=data, verify=False)
        response.raise_for_status()
        return response.json()
    except requests.exceptions.HTTPError as e:
        error_msg = response.json().get("ERSResponse", {}).get("messages", [{}])[0].get("title", str(e))
        raise Exception(f"ISE API Error: {error_msg}")

See Also