11-11-2018 12:46 PM - edited 03-08-2019 05:28 PM
Hi,
After some testing in lab with our new DNA I have reinstalled it from scratch using ISO provided by TAC to start using it in production. It's clean and fully updated (1.2.6).
Now, I try to link it with ISE, also freshly installed (2.3.0.298 patch 5)
But link fails with error message "Error establishing trust with ISE: Expected failure phrase received: Trust establishment Operation Failed. Check ISE node role or whether remote server 10.216.17.64 is reachable"
10.216.17.64 is the Virtual IP, 10.216.17.65 is the node IP. But I cannot connect on the DNA controller using the VIP, neither ISE. Yet DNAC is sending that IP. This is a standalone setup.
How can I either bring up the VIP or force the use of the node IP rather than VIP?
Thanks for your help.
Cedric
Solved! Go to Solution.
11-11-2018 03:10 PM
Note: You can use symbolic IPs for my question but I need to understand your setup.
How many NICs are configured on your ISE?
What are there IPs on eth0 & eth1 (if used)?
Which IP do you use for accessing the ISE UI?
For the DNAC, How many Network Interfaces did you configure?
What are the IP addresses for enp10s0, enp1s0f0, enp1s0f1, and enp9s0? Which interface is the Clusterlink?
You typically have 2 or 3 interfaces for the DNAC which would require 3 VIPs with the latest release?
If you are only using a single NIC, you do not have to configure a VIP. If you plan to grow this into a 3 node cluster then you would want to configure this DNAC as the primary node in the cluster. So you would most likely configure 3 NICs with 3 VIPs.
You can refer to my IP Address Planning worksheet for more details:
Technote of the Day (TOTD) - DNAC IP Address Planning Worksheet
https://community.cisco.com/t5/network-architecture-documents/totd-dnac-ip-address-planning-worksheet/ta-p/3695458
Regards
T.
11-11-2018 03:10 PM
Note: You can use symbolic IPs for my question but I need to understand your setup.
How many NICs are configured on your ISE?
What are there IPs on eth0 & eth1 (if used)?
Which IP do you use for accessing the ISE UI?
For the DNAC, How many Network Interfaces did you configure?
What are the IP addresses for enp10s0, enp1s0f0, enp1s0f1, and enp9s0? Which interface is the Clusterlink?
You typically have 2 or 3 interfaces for the DNAC which would require 3 VIPs with the latest release?
If you are only using a single NIC, you do not have to configure a VIP. If you plan to grow this into a 3 node cluster then you would want to configure this DNAC as the primary node in the cluster. So you would most likely configure 3 NICs with 3 VIPs.
You can refer to my IP Address Planning worksheet for more details:
Technote of the Day (TOTD) - DNAC IP Address Planning Worksheet
https://community.cisco.com/t5/network-architecture-documents/totd-dnac-ip-address-planning-worksheet/ta-p/3695458
Regards
T.
11-11-2018 11:04 PM
Hi Tomas,
Thanks! That sentence made my day:
@Tomas de Leon wrote:...
If you are only using a single NIC, you do not have to configure a VIP.
...
I don't know where it came from but I was persuaded that I had to provide VIP addresses for every configured interface, even if I was not planning to cluster the solution. So I was always filling those addresses in the wizard.
Apparently, if a VIP is configured for the enterprise NIC it is communicated to the ISE server even if the VIP is down.
Once I removed the VIPs the address sent to ISE was the node address and the config went smoothly.
I should have asked earlier :-p
I had already seen your TOTD and it was helpful in preparing the addressing schema.
Thanks again,
Cédric
02-13-2019 10:41 AM - edited 02-14-2019 08:40 AM
One of our engineers just ran into the same situation, but went about fixing it a different way. Even though this was a single node deployment (for now) VIPs were used for both the Cluster and the Enterprise links since the documentation states this is a requirement starting with 1.2.6. However, the customer removed the cable to the cluster link since this was a single node deployment, which left the interface in an up/down state, which ultimately resulted in DNAC shutting down the VIP to the Enterprise port because the Cluster link was up/down.
Rather than removing the VIP on the Enterprise port, we chose to connect the cable back to the Cluster port to bring the interface back to an up/up state, which ultimately resulted in the VIP on the Enterprise port coming back up and everything working fine.
We chose option 2 since there is always the chance the customer could add nodes to the cluster, and I am pretty sure the cluster configs cannot be changed once the wizard has completed without blowing away the entire config and starting from scratch.
02-26-2019 08:45 PM
02-26-2019 10:41 PM
Hi,
I just restarted the console wizard with the maglev account and removed the virtual IP.
It completed without error.
I hope it helps.
++
C.
02-26-2019 10:59 PM
03-12-2019 12:37 PM
Once I removed the VIPs the address sent to ISE was the node address and the config went smoothly. https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/
I should have asked earlier :-p
03-18-2019 05:43 PM
you may run "sudo maglev-config update" on the CLI and follow the wizard screens to update the vIP config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide