topic Re: AD Connector had to be restarted. Server=isepsn1 in Network Access Control

AD Connector had to be restarted. Server=isepsn1

adamscottmaster2013 — Fri, 19 May 2023 15:10:46 GMT

I am running ISE 3.0 patch-3. For the past two weeks, I see this message in ISE from one of my PSN nodes

AD Connector had to be restarted. Server=isepsn1

The tcpdump on the network showed that the rst package come from the Active Directory server at the exact time I see this message in ISE. Is this an issue with ISE or ADs? Thoughts?

Re: AD Connector had to be restarted. Server=isepsn1

ahollifield — Fri, 19 May 2023 15:31:15 GMT

I would probably install the latest patch for 3.0 before spending too much time troubleshooting. Patch 3 is quite old at this point.

https://community.cisco.com/t5/network-access-control/ad-connector-had-to-be-restarted-server-isepsn1/td-p/4839138

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-0.html

Re: AD Connector had to be restarted. Server=isepsn1

adamscottmaster2013 — Fri, 19 May 2023 16:58:47 GMT

@ahollifield : you sound like true Cisco TAC engineer with the "upgrade to the latest patch" comment instead of trying to figure out what the issue is, LOL....🙂

Re: AD Connector had to be restarted. Server=isepsn1

ahollifield — Fri, 19 May 2023 17:05:39 GMT

lol they do have a point though. Patch 3 was released July 27, 2021 so almost two full years ago. That's an ancient time in software lifecycle with zero vulnerability or bug fixes. Within that timeframe two new major releases of ISE have also been released.

Re: AD Connector had to be restarted. Server=isepsn1

adamscottmaster2013 — Fri, 19 May 2023 18:39:59 GMT

LOL...Yes, but ISE 3.2 is severely "broken" and not too many people are using it 🙂

You don't know if upgrading to the latest patch will fix the issue instead of investigating the actual issue and confirm whether the latest patch will fix it. Not hoping the latest patch will fix it.

Re: AD Connector had to be restarted. Server=isepsn1

ahollifield — Fri, 19 May 2023 19:04:11 GMT

Can you elaborate on "Severely broken"? I know of several deployments running 3.2 Patch 1 expressly for the Azure AD integration for EAP-TLS authorization without issue.

That's true I don't know that; I'm just offering a potential fix that might save time troubleshooting. Its something that should be done anyways...

Re: AD Connector had to be restarted. Server=isepsn1

Marcelo Morais — Sat, 20 May 2023 04:08:37 GMT

Hi @adamscottmaster2013 ,

please try to find a clue by "debugging" the ad_agent.log:

. GUI:

Administration > System > Logging > Debug Log Configuration > select the PSN > Active Directory from Warn to Debug or Trace.

. CLI:

ise/admin# show logging application ad_agent.log

Hope this helps !!!

Re: AD Connector had to be restarted. Server=isepsn1

adamscottmaster2013 — Thu, 25 May 2023 11:46:52 GMT

@ahollifield: Severely broken as: 1- Integration with Active Directory doesn't work; 2- External authentication with radius server (the external radius is another Cisco ISE) does not work; 3- ssh stops working for no reason (tcpdump showed ssh requests get to the ISE server but no ssh reply). I am sure there are other things that are not working but I am still stuck on item #1 and #2 because it is a show stopper for me so far.

Re: AD Connector had to be restarted. Server=isepsn1

ahollifield — Thu, 25 May 2023 12:50:22 GMT

Interesting do you have TAC cases open for these? I have several 3.2 deployments joined to on-prem AD without issue. I haven't tested the external RADIUS sever configuration on 3.2 but I am curious on the the use-case for relaying to another ISE deployment. Is this for a migration?

Re: AD Connector had to be restarted. Server=isepsn1

adamscottmaster2013 — Thu, 25 May 2023 14:44:54 GMT

@ahollifield: Yes, my ISE 3.2 patch-2 does NOT have issue with joining Active Directory. It joins just fine and I can also test the user. However, when I attempted to create a wireless guest user with AD credential, I didn't see any communications between ISE and AD servers. Yes, I have multiple tickets open with TAC on many issues regarding ISE 3.2, and they are very slow in responding so far.

Re: AD Connector had to be restarted. Server=isepsn1

adamscottmaster2013 — Fri, 29 Sep 2023 21:25:01 GMT

A colleague of mine opened a TAC case with Cisco for this exact issue and the TAC is not very helpful. It looks like not even TAC is very knowledgable with this product. Cisco's response: please upgrade to patch-8.