topic Re: ISE 2.7 Clustering Issue in Network Access Control

ISE 2.7 Clustering Issue

viv42 — Wed, 21 Jun 2023 05:41:26 GMT

Hi Team,

I have a total of 4 ISE nodes on a VM medium size. Previously, it was on 2.3 where we are facing multiple issues. Recently I migrated that server with the fresh installation on version 2.7 patch 9 on a newly created VM host using ISO image. I have installed these nodes one by one in standalone mode, configured the same policies and IP schema, and dismantled the old VM host servers.

Out of 4 nodes, 3 nodes successfully get into the cluster and working fine. One was able to reregister but not getting synced with others.

I tried to de-register, service start-stop, reload, and factory reset, but still, it was not able to sync. The error is de-register the node and register it again.

I have also checked the reachability part and I can able to ping and get the DNS lookup of all other nodes from the affected node.

Please suggest any further troubleshooting if possible.

Re: ISE 2.7 Clustering Issue

Mark Elsen — Wed, 21 Jun 2023 06:14:47 GMT

- Consider migrating to (more) recent version(s) of ISE : https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

Re: ISE 2.7 Clustering Issue

Aref Alsouqi — Wed, 21 Jun 2023 16:35:01 GMT

Did you try the "application reset-config ise" on the node that is giving these issues? if so, maybe you can move the primary PAN persona to the secondary PAN and see if that helps. Alternatively, I would try to get TAC engaged.

Re: ISE 2.7 Clustering Issue

viv42 — Fri, 23 Jun 2023 03:46:54 GMT

Hi Aref,

The affected node is a PSN that is not able to sync with other nodes. I have already tried "application reset-config ISE" but it didn't work.

The node was able to register within a minute but after that it was not able sync.

Re: ISE 2.7 Clustering Issue

Aref Alsouqi — Fri, 23 Jun 2023 15:09:15 GMT

I would try to move the primary PAN as suggested before, alternatively I think TAC could help. If not, maybe redeploying that node from the scratch would be a fairly quick option.

Re: ISE 2.7 Clustering Issue

Nancy Saini — Fri, 23 Jun 2023 19:11:53 GMT

Check things in the following order:

PAN should be able to do both forward and reverse nslookup of the affected node.
Check if communication is allowed between PAN and the problematic node for TCP 443, 12001 and 8671.
Take a packet capture on PAN while registering the node and check communication with problematic server's IP. (Check if SSL handshake is getting completed for TCP port mentioned in #2)
You can also do "show logging application replication.log tail" on the problematic node while doing the registration and check if any exceptions or error message seen.

If nothing conclusive found, would suggest reaching out to TAC.

Re: ISE 2.7 Clustering Issue

viv42 — Fri, 23 Jun 2023 20:46:54 GMT

Hi Aref, Thank you for the suggestion. I will go for redeploying if any of the troubleshooting not works.

Hi Nancy,

I will check all of the things which you mentioned in your reply and will let you know.