https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3203365#M553421 <P>&nbsp;</P> <P>I've experienced the same issue. These two new bugs might be related.&nbsp;</P> <P>&nbsp;</P> <P>CSCvg19243:&nbsp;ISE is sensitive to high values of "Root Dispersion" for NTP server</P> <P>CSCvg19246: ISE unable to make persistent changes to ntp.conf</P> <P>&nbsp;</P> <P>The&nbsp;workaround is to change&nbsp;ntp.conf file : tos maxdist 16. But if the appliance is reloaded the issue will re-occur. Only TAC can do the workaround&nbsp; by installing root patch.</P> Mon, 23 Oct 2017 08:30:56 GMT Mady 2017-10-23T08:30:56Z https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3202020#M553407 <P>I have two ISE servers both running version 2.2.0.470.&nbsp; One is a primary located in our data center while the other is a secondary located at a remote site.&nbsp; Secondary acts as the primary auth server for the remote site.&nbsp; Both have been working fine, had one issue where I would got alerts about contacting the DC but a reboot fixed the issue.&nbsp; Today I had an issue that started with the following alerts in order:</P> <P>&nbsp;</P> <P>NTP Sync Failure\Joined domain is unavailable\AD forest unavailable\AD not &nbsp;joined\AD: Machine TGT refresh failed</P> <P>&nbsp;</P> <P>I tried restarting the services which didn't work so I rebooted the server.&nbsp; Everything seemed to be working fine as all the alerts stopped and the status was "operational" as an identity source.&nbsp; Well the alerts stopped but the server is no longer authenticating devices. All devices from the remote site are failing over to the primary.&nbsp; Checked the time on the server, removed the server from the domain and add it back but it still will not authenticate any users.&nbsp; Our primary is authenticating the failed devices but I would like to get the secondary working it’s located at a remote site and the authentication is now being done across a WAN.</P> <P>&nbsp;</P> <P>All of the dropped authentications show&nbsp; "Failure Reason 11007 could not locate Network Device or AAA Client."</P> <P>&nbsp;</P> <P>Any ideas as to where to look next?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Quentin<BR /> &nbsp;</P> <P><BR />&nbsp;</P> Fri, 21 Feb 2020 18:36:35 GMT https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3202020#M553407 quentincorbett 2020-02-21T18:36:35Z https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3202927#M553411 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/246568">@quentincorbett</a></P> <P>Wondering if you gave the logs some check. Logs looks pretty much auto explained ""<SPAN>NTP Sync Failure\Joined domain is unavailable\AD forest unavailable\AD not &nbsp;joined\AD: Machine TGT refresh failed""</SPAN></P> <P><SPAN>ISE is pretty sensitive to NTP. And if this is not properly communicating with AD we can't expect good things.</SPAN></P> <P>&nbsp;</P> <P><SPAN>-If I helped you somehow, please, rate it as useful.-</SPAN></P> Sat, 21 Oct 2017 16:49:22 GMT https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3202927#M553411 Flavio Miranda 2017-10-21T16:49:22Z https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3203365#M553421 <P>&nbsp;</P> <P>I've experienced the same issue. These two new bugs might be related.&nbsp;</P> <P>&nbsp;</P> <P>CSCvg19243:&nbsp;ISE is sensitive to high values of "Root Dispersion" for NTP server</P> <P>CSCvg19246: ISE unable to make persistent changes to ntp.conf</P> <P>&nbsp;</P> <P>The&nbsp;workaround is to change&nbsp;ntp.conf file : tos maxdist 16. But if the appliance is reloaded the issue will re-occur. Only TAC can do the workaround&nbsp; by installing root patch.</P> Mon, 23 Oct 2017 08:30:56 GMT https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3203365#M553421 Mady 2017-10-23T08:30:56Z https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3203907#M553433 <P>Thanks for your response but all the errors cleared after a reboot and the ISE server is communicating with the DC but for some reason it is no longer authenticating.&nbsp;</P> Tue, 24 Oct 2017 00:04:25 GMT https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3203907#M553433 quentincorbett 2017-10-24T00:04:25Z https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3203909#M553445 <P>Thanks, I will open a TAC case to see if they can resolve the issue.</P> Tue, 24 Oct 2017 00:05:20 GMT https://community.cisco.com/t5/network-access-control/ise-secondary-server-authentication-issue/m-p/3203909#M553445 quentincorbett 2017-10-24T00:05:20Z