https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5224226#M593190 <P>You seem to have a firewall in between these two ISE nodes. Just make sure please that you have all the required ports opened as mentioned by the others, or you can open up all the ports between these nodes on the firewall if they are in segregated secured segments and then look at the firewall logs to narrow down the policy based on the utilised ports you see on the logs.</P> Thu, 14 Nov 2024 11:48:22 GMT Aref Alsouqi 2024-11-14T11:48:22Z https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223843#M593167 <P>I am unable to join a node to the deployment even though I am able to ping PAN to new node and vice versa? What could be stopping this?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NetworkMonkey101_0-1731515527565.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/233791iE43923D1CAFDBC28/image-size/medium?v=v2&amp;px=400" role="button" title="NetworkMonkey101_0-1731515527565.png" alt="NetworkMonkey101_0-1731515527565.png" /></span></P><P>&nbsp;</P> Wed, 13 Nov 2024 16:32:15 GMT https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223843#M593167 NetworkMonkey101 2024-11-13T16:32:15Z https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223844#M593168 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1495947">@NetworkMonkey101</a> is DNS setup and working? Can you ping the FQDN?</P> Wed, 13 Nov 2024 16:35:07 GMT https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223844#M593168 Rob Ingram 2024-11-13T16:35:07Z https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223845#M593169 <P>I would check this guide that the ports are open between the nodes for all communication.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html</A></P> <P>&nbsp;</P> Wed, 13 Nov 2024 16:36:20 GMT https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223845#M593169 Dustin Anderson 2024-11-13T16:36:20Z https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223859#M593170 <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_7.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_7.html</A></P> Wed, 13 Nov 2024 17:11:26 GMT https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223859#M593170 ahollifield 2024-11-13T17:11:26Z https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223885#M593174 <P>As mentioned check the DNS, can you resolve from node a to node b with the command nslookup nodea.domain.com ? And also from node a to the node b? Finally, I'd highly recommend collecting a packet capture. Use the following documentation, it includes the ports for replication and synchronization:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html</A><BR /><BR /></P> <TABLE id="persona-node-ports__ID-1420-00000015" class="table" border="1" width="100%"> <TBODY id="persona-node-ports__ID-1420-0000002c" class="tbody"> <TR id="persona-node-ports__ID-1420-00000043"> <TD class="entry align-left"> <P class="p">Replication and Synchronization</P> </TD> <TD class="entry align-left"> <UL class="ul"> <LI id="persona-node-ports__li_35C4E893CFE84C989D4723A9834B2066" class="li"> <P class="p">HTTPS (SOAP): TCP/443</P> </LI> <LI id="persona-node-ports__li_C91BE77EC5824DC3AAEA168D95FFA7EF" class="li"> <P class="p">Data Synchronization/ Replication (JGroups): TCP/12001 (Global)</P> </LI> <LI class="li"> <P class="p">ISE Messaging Service: SSL: TCP/8671</P> </LI> <LI class="li"> <P class="p">ISE internal communication: TCP/15672</P> </LI> <LI class="li"> <P class="p">Profiler Endpoint Ownership Synchronization/ Replication: TCP/6379</P> </LI> </UL> </TD> </TR> </TBODY> </TABLE> <P><BR /><BR /></P> Wed, 13 Nov 2024 18:25:34 GMT https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5223885#M593174 dalbanil 2024-11-13T18:25:34Z https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5224226#M593190 <P>You seem to have a firewall in between these two ISE nodes. Just make sure please that you have all the required ports opened as mentioned by the others, or you can open up all the ports between these nodes on the firewall if they are in segregated secured segments and then look at the firewall logs to narrow down the policy based on the utilised ports you see on the logs.</P> Thu, 14 Nov 2024 11:48:22 GMT https://community.cisco.com/t5/network-access-control/node-not-able-to-join-deployment/m-p/5224226#M593190 Aref Alsouqi 2024-11-14T11:48:22Z