https://community.cisco.com/t5/network-access-control/ise-node-registration-fails/m-p/3958734#M455642 <P>The new nodes that are being added must be on the same version and patch level.&nbsp; Then, the certificates need to be trusted both ways.&nbsp; You can export the system certificates from the new nodes and import those into the existing deployment admin as a trusted certificate.&nbsp; Then take the Root and Intermediate CA certificates that signed the existing deployment nodes' certificates and put those on the new nodes in the trusted certificates store.&nbsp; If all of that is good and still failing, then make sure DNS entries are created for the new nodes and the existing deployment nodes.&nbsp; Both forward and reverse lookup records.&nbsp; You can test by doing an nslookup from the CLI of the new nodes and the existing Primary Admin.&nbsp; For both the FQDN and the IP address.</P> Thu, 14 Nov 2019 17:04:29 GMT Colby LeMaire 2019-11-14T17:04:29Z https://community.cisco.com/t5/network-access-control/ise-node-registration-fails/m-p/3958726#M455639 <P>I have a problem with registering a new ISE node to an existing ISE cluster that contains 4 nodes, so I have 4 nodes and I need to add 2 more nodes to them, all nodes are running version 2.4 patch10 and the certificates are trusted, however, I get this error&nbsp;<SPAN>"Registration failed"</SPAN></P> Thu, 14 Nov 2019 16:51:37 GMT https://community.cisco.com/t5/network-access-control/ise-node-registration-fails/m-p/3958726#M455639 MohamedSamer47595 2019-11-14T16:51:37Z https://community.cisco.com/t5/network-access-control/ise-node-registration-fails/m-p/3958734#M455642 <P>The new nodes that are being added must be on the same version and patch level.&nbsp; Then, the certificates need to be trusted both ways.&nbsp; You can export the system certificates from the new nodes and import those into the existing deployment admin as a trusted certificate.&nbsp; Then take the Root and Intermediate CA certificates that signed the existing deployment nodes' certificates and put those on the new nodes in the trusted certificates store.&nbsp; If all of that is good and still failing, then make sure DNS entries are created for the new nodes and the existing deployment nodes.&nbsp; Both forward and reverse lookup records.&nbsp; You can test by doing an nslookup from the CLI of the new nodes and the existing Primary Admin.&nbsp; For both the FQDN and the IP address.</P> Thu, 14 Nov 2019 17:04:29 GMT https://community.cisco.com/t5/network-access-control/ise-node-registration-fails/m-p/3958734#M455642 Colby LeMaire 2019-11-14T17:04:29Z https://community.cisco.com/t5/network-access-control/ise-node-registration-fails/m-p/3958736#M455644 <P>Theres quite a bit of information needed to help here.</P><P>Is the new PSN across a WAN from the PAN?</P><P>Is it behind a firewall from the PAN?</P><P>&nbsp;</P><P>To start, you need to ensure you have the following ports open bi-directionally between your nodes:</P><UL><LI><P class="p">HTTPS (SOAP): TCP/443</P></LI><LI><P class="p">Data synchronization/ Replication (JGroups): TCP/12001 (Global)</P></LI><LI><P class="p">ISE Messaging Service: SSL: TCP/8671</P></LI></UL><P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html</A></P><P>&nbsp;</P><P>Ensure you are using the same NTP server and that DNS (FQDN and short name) are resolvable on both sides.</P><P>&nbsp;</P><P>If youre across a WAN, be sure to check your bandwidth:</P><P><A href="https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112" target="_blank" rel="noopener">https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112</A></P><P>&nbsp;</P><P>If all of that checks out, I would suggest to open a ticket with TAC to look into the registration logs.</P> Thu, 14 Nov 2019 17:05:59 GMT https://community.cisco.com/t5/network-access-control/ise-node-registration-fails/m-p/3958736#M455644 JohnNewman7082 2019-11-14T17:05:59Z