topic Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW in Network Access Control

Cannot join AD in ISE 2.4 | CLOCK_SKEW

bcotaz — Tue, 30 Jul 2019 16:42:42 GMT

Hi,

I'm trying to join my AD in ISE but getting an error.

ISE is at 2.4

AD is Microsoft Server 2016

Here is the complete error:

Result for ISE node: ise.securitydemo.net.

Status: Join Operation Failed: Clock skew detected with active directory server

Error Description: Clock Skew Detected With Active Directory Server

Support Details...

Error Name: LW_ERROR_CLOCK_SKEW

Error Code: 40087

Detailed Log:

08:53:12 Joining To Domain MXXXAKI.COM Using User Administrator

08:53:12 Searching For DC In Domain MXXXAKI.COM

08:53:12 Found DC: WIN-3CE3A93D7R1.mxxxaki.com , Client Site Is Default-First-Site-Name , Dc Site Is Default-First-Site-Name

08:53:12 Checking Credentials For User Administrator

08:53:12 Getting TGT For Account Administrator@MXXXAKI.COM

I've set up my AD as the NTP and DNS.

Here's a screen capture of show NTP in ISE.

I've also set Root Dispersion to zero already, please see attached.

Thank you,

Brian

Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW

Surendra — Tue, 30 Jul 2019 17:14:46 GMT

Your ISE isn't in Sync with your NTP server as you can see that the selected time source is not your NTP server. Check if your NTP server is up and running. Are there any devices that are in sync with your NTP server? Check this if it helps . https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119371-technote-ise-00.html

Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW

bcotaz — Wed, 31 Jul 2019 12:10:13 GMT

Hi Serendra,

I tried using google NTP server already, but my current time source is still 127.127.1.0.
Any idea how to force the ISE NTP to my configured google ntp server?
Screenshot below.

[cid:image001.png@01D547DB.DF7C8FB0]

Thanks,
Brian

Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW

Damien Miller — Wed, 31 Jul 2019 15:41:54 GMT

127.127.1.0 is always listed first.

Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW

bcotaz — Sun, 04 Aug 2019 09:49:14 GMT

Closing out on this one. I was able to successfully integrate AD by manually adjusting ISE clock in the CLI using the command "clock set"

Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW

kostasthedelegate — Tue, 10 Dec 2019 13:57:12 GMT

Hello,

The time you put was with seconds?

Did it require a restart after the command?

Regards,

Konstantinos

Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW

hslai — Sat, 14 Dec 2019 17:13:21 GMT

An ISE service restart is recommended but not required. Yes, the command needs seconds specified. As long as the time differences are within 5 minutes, the AD join would usually work.

Nonetheless, I would suggest to get a good time source, which is reachable within your infrastructure by both AD, ISE, and others, and have all their clocks synchronized to it. This makes it easier to look at the logs if we need to troubleshoot anything.