04-30-2020 07:44 AM
Hi,
I'm setting up DNA for a customer. Integrating ISE appeared to work fine and to begin with, everything looked perfect. But less than an hour later, the secondary ISE server is showing as "Unavailable" in the System 360 view:
Settings -> Authentication and Policy Servers looks fine, Status:ACTIVE
From DNAC, I can ping both ISE servers by IP and FQDN and I can telnet to ports 22, 80 and 443.
One thing to note: Primary ISE is on same site as DNA - definitely no firewalls in the path. Secondary ISE is on another site so there could be a firewall that is filtering traffic.
So, to my first question: Is there a list of all the ports that should be allowed between DNAC and ISE?
My second question: Can you think of any other reasons why the secondary ISE might be showing as unavailable if ports are not being filtered on the path?
Note: I would normally just raise a TAC case but there are contract issues at the moment so I can't.
Many thanks in advance,
Matt.
04-30-2020 07:58 AM
04-30-2020 08:04 AM
Hi Mike,
Thank you for the link, that's exactly what I was after! I had already found that I can't telnet from DNAC to ISE02 on tcp/9060 for ERS so that's definitely one issue. But your link shows there are other ports required from DNAC to ISE too, namely 5222 and 8910 which are also being blocked so I'll get whoever manages the FW to make the required changes.
I'll reply again if when it's all sorted.
Cheers,
Matt.
05-04-2020 11:57 AM
Update: I was being an idiot. In ISE, I hadn't selected the checkbox for: “Enable ERS for Read for all other nodes”.
(ISE > Admin > System > Settings > ERS)
D'OH!
Cheers,
Matt.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide