https://community.cisco.com/t5/network-access-control/ise-1-1-2-failover-syncronization-issue/m-p/2278116#M92401 <HTML><HEAD></HEAD><BODY><P>I may have misunderstood your problem, but.... for your first problem, are you expecting the Monitor node status to change when you promote node 2? You're only promoting the admin role, the monitor role will remain unchanged unless you choose to change which is primary monitor node too (totally separate).</P><P></P><P>2nd problem. Sounds like certificate maybe? What are you using in the way of certs for the nodes to auth each other? Did you swap the self signed certs for instance between nodes? Changed certs recently and not delete old ones? I've seen old certs which seem to have been deleted hang around until a full reload.</P></BODY></HTML> Mon, 30 Sep 2013 22:57:54 GMT bikespace 2013-09-30T22:57:54Z https://community.cisco.com/t5/network-access-control/ise-1-1-2-failover-syncronization-issue/m-p/2278115#M92383 <P>Hi everone,</P><P></P><P><STRONG>Scenário:</STRONG></P><P>I've deployed two Cisco ISE 1.1.2 nodes as follows:</P><P></P><P>Node 1 as Primrary Admin, Policy Server and Monitoring</P><P>Node 2 as Secondary Admin, Policy Server and Monitoring</P><P></P><P>All configured roles works as expected.</P><P></P><P><STRONG>Problem:</STRONG></P><P>Once I promote the <STRONG style="font-size: 10pt;">Node </STRONG><SPAN style="color: #ff0000;"><STRONG style="font-size: 10pt; ">2 </STRONG><SPAN style="color: #000000; font-size: 10pt; ">(S</SPAN></SPAN><SPAN style="font-size: 10pt; color: #000000;">econdary node) to become the Primary the problem takes place as described bellow:</SPAN></P><P></P><P>1- The <STRONG><SPAN style="font-size: 10pt;">Node</SPAN><SPAN style="color: #ff0000;"> 2</SPAN></STRONG> <SPAN style="font-size: 10pt;">restarts the ISE Application and assumes the Primary </SPAN><SPAN style="font-size: 10pt;">Admin, Policy Server roles (but Monitoring role remains as Primary</SPAN><SPAN style="font-size: 10pt;">)</SPAN></P><P><SPAN style="font-size: 10pt;">2- The <STRONG>Node<SPAN style="color: #ff0000;"> 1</SPAN></STRONG> restarts the ISE Application too and Second</SPAN><SPAN style="font-size: 10pt;">ary Admin, Policy Server </SPAN><SPAN style="font-size: 10pt;">roles (but Monitoring role remains as Secondaary)</SPAN></P><P></P><P>After the ISE Application becomes up in both nodes the syncronization status appear as <SPAN style="color: #ff0000;">NODE NOT REACHABLE</SPAN>.</P><P></P><P>Does anyone faced this issue before, or have any idea about it?</P><P></P><P></P><P>Thanks in advance.</P> Tue, 26 Mar 2019 00:31:07 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-2-failover-syncronization-issue/m-p/2278115#M92383 Paulo Moreira Magalhaes 2019-03-26T00:31:07Z https://community.cisco.com/t5/network-access-control/ise-1-1-2-failover-syncronization-issue/m-p/2278116#M92401 <HTML><HEAD></HEAD><BODY><P>I may have misunderstood your problem, but.... for your first problem, are you expecting the Monitor node status to change when you promote node 2? You're only promoting the admin role, the monitor role will remain unchanged unless you choose to change which is primary monitor node too (totally separate).</P><P></P><P>2nd problem. Sounds like certificate maybe? What are you using in the way of certs for the nodes to auth each other? Did you swap the self signed certs for instance between nodes? Changed certs recently and not delete old ones? I've seen old certs which seem to have been deleted hang around until a full reload.</P></BODY></HTML> Mon, 30 Sep 2013 22:57:54 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-2-failover-syncronization-issue/m-p/2278116#M92401 bikespace 2013-09-30T22:57:54Z https://community.cisco.com/t5/network-access-control/ise-1-1-2-failover-syncronization-issue/m-p/2278117#M92411 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>I've got the problem solved.</P><P></P><P>Both nodes are in diferent location and they are behind a firewall in each location.</P><P></P><P>The problem was a wrong NAT statement on firewall in which the node 2 resides behind to. This NAT was preventing Node 2 to iniciate the database syncronization.</P><P></P><P>Thank you so much!</P></BODY></HTML> Thu, 03 Oct 2013 20:50:05 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-2-failover-syncronization-issue/m-p/2278117#M92411 Paulo Moreira Magalhaes 2013-10-03T20:50:05Z