https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582155#M573752 <P>Hello,</P><P>&nbsp;</P><P>We have the following distributed ISE deployment:</P><P>&nbsp;</P><P>Site A: 2x ADM, 2x MNT, 2x PSN</P><P>Site B: 2x PSN</P><P>Site C: 2x PSN</P><P>&nbsp;</P><P>We opened the ports in the firewalls between Site A and Site B and between Site A and Site C so the PSN can reach the ADM and MNT nodes.</P><P>We have some errors in the ISE stating communication failure between the PSN of Site B and PSN of Site C.</P><P>&nbsp;</P><P>Why do the PSN of Site B need to communicate with the PSN of Site C ?</P> Wed, 30 Mar 2022 17:48:03 GMT hervetram 2022-03-30T17:48:03Z https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582155#M573752 <P>Hello,</P><P>&nbsp;</P><P>We have the following distributed ISE deployment:</P><P>&nbsp;</P><P>Site A: 2x ADM, 2x MNT, 2x PSN</P><P>Site B: 2x PSN</P><P>Site C: 2x PSN</P><P>&nbsp;</P><P>We opened the ports in the firewalls between Site A and Site B and between Site A and Site C so the PSN can reach the ADM and MNT nodes.</P><P>We have some errors in the ISE stating communication failure between the PSN of Site B and PSN of Site C.</P><P>&nbsp;</P><P>Why do the PSN of Site B need to communicate with the PSN of Site C ?</P> Wed, 30 Mar 2022 17:48:03 GMT https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582155#M573752 hervetram 2022-03-30T17:48:03Z https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582174#M573753 <P>Did you create a single "node group", with all PSNs assigned to it?</P><P>Such a scenario would explain the behaviour you see: PSNs share their active sessions with all members of the "node group"</P><P>If you have a single "node group", please consider creating a "node group" per site and only assign the PSNs for that site.</P><P>Please keep in mind that RADIUS session are shared within a "node group", PSNs of site A will have no knowledge about active sessions within site B.</P><P>&nbsp;</P><P>Cheers,</P><P>Hans</P> Wed, 30 Mar 2022 18:31:04 GMT https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582174#M573753 HansK_NL 2022-03-30T18:31:04Z https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582186#M573755 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/502850">@hervetram</a>&nbsp;</P><P>You can use this document as a guide of the ports and compare with your logs on firewall to check what traffic is the PSNs trying to establish: <STRONG><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_0110.html" target="_self">Cisco ISE Ports Reference</A></STRONG></P><P>As&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/916617">@HansK_NL</a>&nbsp;said, probably you have just one cluster configured and all PSN personas are trying to sync sessions.</P><P>Regards,</P><P>Jezer</P> Wed, 30 Mar 2022 18:55:45 GMT https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582186#M573755 tjezer 2022-03-30T18:55:45Z https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582189#M573757 <P>I did create a node group for each site when I added the nodes, so each node group contains only the 2 PSN of its site.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Mar 2022 19:04:23 GMT https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/m-p/4582189#M573757 hervetram 2022-03-30T19:04:23Z