topic ISE adding secondary node in Network Access Control

ISE adding secondary node

nenadl — Wed, 16 Oct 2019 23:51:20 GMT

Hi all,

i have problem with adding secondary node to primary. I can ping them, nslookup on both sides gives me correct entry. I did tcp dump on destination FW, don't see that something is blocking...primary is using 443 port when I try to register secondary node.

PRIMARY:

ise01/admin# nslookup ise02.net.biz
Trying "ise02.net.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31656
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ise02.net.biz. IN ANY

;; ANSWER SECTION:
ise02.net.biz. 3600 IN A 172.28.208.208

ise01/admin# ping ise02.net.biz
PING ise021.net.biz (172.28.208.208) 56(84) bytes of data.
64 bytes from 172.28.208.208: icmp_seq=1 ttl=59 time=25.3 ms
64 bytes from 172.28.208.208: icmp_seq=2 ttl=59 time=24.7 ms
64 bytes from 172.28.208.208: icmp_seq=3 ttl=59 time=24.6 ms
64 bytes from 172.28.208.208: icmp_seq=4 ttl=59 time=25.1 ms

ise02/admin# nslookup ise01.net.biz
Trying "ise01.net.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1261
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ise01.net.biz. IN ANY

;; ANSWER SECTION:
ise01.net.biz. 293 IN A 10.64.96.96

ise02/admin# ping ise01.net.biz
PING ise01.net.biz (10.64.96.96) 56(84) bytes of data.
64 bytes from 10.64.96.96: icmp_seq=1 ttl=59 time=24.7 ms
64 bytes from 10.64.96.96: icmp_seq=2 ttl=59 time=24.4 ms
64 bytes from 10.64.96.96: icmp_seq=3 ttl=59 time=24.5 ms
64 bytes from 10.64.96.96: icmp_seq=4 ttl=59 time=24.4 ms

Both devices use same version.

This is message that I'm getting :

Communication failure with the host ise02.net.biz. Please check the information for the target machine, or if the target machine is accessible and try again.

Anyone knows what to check next?

Thanks

Re: ISE adding secondary node

Afolarin Omole — Fri, 18 Oct 2019 09:41:02 GMT

Hello,

Remember when setting up ISE in distribute mode , both Primary and Secondary PAN need to trust each other aside all that you have confirmed above.

Trust between the two PAN is built on certificate (mostly self-signed ). Have you export the default self signed certificate from the Secondary PAN to import into the Primary PAN vice versa . After doing all you mentioned and this , you should be able to add the Secondary PAN to the Primary. But if you are using externally signed certificate , then you have to create CSR to be signed externally ( But why would one need that , this is not externally faced ) , or using your corporate internal CA ( this option is also good because it gives longer expiry which depend on your corporate security polices).

Let me know is this helps

Re: ISE adding secondary node

nenadl — Fri, 18 Oct 2019 14:32:14 GMT

Hi,

problem was not with certificate. Problem was that on primary I had patch installed which I hadn't on secondary. After removing patch issue was resolved.

Thanks,