topic Cisco ISE Distributed environment question in Network Access Control

Cisco ISE Distributed environment question

soporte-pan — Mon, 11 Mar 2019 02:47:19 GMT

Hi everyone,

We want to deploy the ISE's nodes in primary- secondary to high availability.

One Node is in Europe and the another node is in America.

Is there exist some restriction about the distance or times, to syncronize between each one?.

Of course, the timezone for each node will be different (GMT - 8 and GMT +1 for example).

I was reading the way for implement it, but it didn't show any information about this.

Regards,

Re: Cisco ISE Distributed environment question

jw.sl9 — Thu, 06 Dec 2012 03:18:43 GMT

Make your timezones BOTH UTC

What kind of connection do you have between the 2 sites?

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.
-James

Cisco ISE Distributed environment question

Tarik Admani — Thu, 06 Dec 2012 06:11:33 GMT

Hi,

My suggestion is to lab this between two boxes in a virtual environment. I dont think there is an issue with this since the clock has to be NTP and from a reliable clock source (please do not use windows). From my understanding the timezone is just an offset to the raw time data that is learned from NTP so if you have two nodes in different timezones should be covered. I understand that using UTC is a pain but James brings up a good solution. I feel that if you configure this in a lab you should be ok.

Thanks,

Tarik Admani
*Please rate helpful posts*

Cisco ISE Distributed environment question

khernandezruiz — Mon, 15 Apr 2013 22:38:41 GMT

Hi James,

Sorry for answer a little late. I had not the information before by the client.

The connection between the two sites is a International MPLS (no internet from our perspective). This is the information:

BW: 2 Mbps

Delay: 200 ms

I put the 2 Nodes ISE in that way:

Node in Europe (We will call NodeA):

- Administration (PAN) Primary

- Monitoring (MNT)

- Policy (PSN)

- NTP Server: Public NTP Server. 130.206.3.166

Timezone: UTC

CA Certificate: Self-Certificate_from_ise_node_America

Node in America (We will call NodeB):

- Administration (PAN) Secondary

NTP Server: Public NTP Server. 130.206.3.166 (the same NTP Server)

Timezone: EST

The NodeB is registered from NodeA using its dns name, with no problem (so I assumed that the certificate, credential and DNS resolve correctly).

Waiting for a couple of hour, the NodeB viewed from the NodeA in the section Administration - System - Deployment state OUT OF SYNC.

When I tried to sync manually, the NodeA showed the following message:

Internal Error: Server returned HTTP Response Code: 500 for URL: https://NodeB/deployment-rpc/cert

Expiry status

And happened everytime I tried to sync.

The NodeB is no possible to access through http server web page correctly after its register. It shows the portal page, but it doesn't matter if you use a correct user or bad user, after you click Logging, return a white page without information.

The solution to use the same timezone

I will put in practice, making the nodes using for both UTC.

If you guys have another ideas, it's appreciate it.

Thanks,

Re: Cisco ISE Distributed environment question

soporte-pan — Wed, 17 Apr 2013 14:15:33 GMT

Hi Everyone,

No... Configuring both Nodes using the timezone UTC did not work.

Re: Cisco ISE Distributed environment question

Naveen Kumar — Tue, 27 Aug 2013 12:07:01 GMT

Please check the guide of Setting Up Cisco ISE in a Distributed Environment:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html

Cisco ISE Distributed environment question

harvisin — Sat, 21 Sep 2013 23:32:50 GMT

Hello,

Sync issues, which are usually due to time changes or Network Time Protocol (NTP) sync issues, you must correct the system time and perform a manual sync-up through the UI.

Cisco ISE Distributed environment question

Kanes Ramasamy — Mon, 04 Nov 2013 01:34:16 GMT

Hi All,

I am having a similar issue to the above and I am curious if the license/certificate will have issues once the NTP server or clock is changed.

Please advise.

Thanks and Regards,

Kanes.R

Re: Cisco ISE Distributed environment question

Charlie Moreton — Mon, 04 Nov 2013 13:49:26 GMT

Are these nodes virtual? If so, please make sure that the Virtual Host Machine is syncing with the NTP server properly before deploying the VM image. Once that is done, ensure that you are using the same NTP server on both the Virtual Host Machine and the VM.

The licenses will be fine, but you may have to generate new certs once the time syncs up. It can take 15-20 minutes for the NTP polling to sync the times.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.

Charles Moreton

Cisco ISE Distributed environment question

Peter Koltl — Wed, 06 Nov 2013 20:00:27 GMT

You have to make your own calculations as in

https://communities.cisco.com/servlet/JiveServlet/download/30977-55-46302/TT+ISE+Overview.pdf

Re: Cisco ISE Distributed environment question

khernandezruiz — Wed, 06 Nov 2013 20:33:44 GMT

Just one of them is virtual.

Apparently is not a sync problems, but a possible bug CSCuh70984 is hitting. Although is not discarded the delay issue between the nodes (200 ms), maybe is not the problem.

We will do the workaround if the problem is resolved.

I'll let you know guys.

Kevin