Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2866
Views
10
Helpful
8
Replies

DNA 1.2.6 - Link ISE - Virtual IP

Go to solution
Ceds
Level 1
Level 1

‎11-11-2018 12:46 PM - edited ‎03-08-2019 05:28 PM

Hi,

 

After some testing in lab with our new DNA I have reinstalled it from scratch using ISO provided by TAC to start using it in production. It's clean and fully updated (1.2.6).

 

Now, I try to link it with ISE, also freshly installed (2.3.0.298 patch 5)

 

But link fails with error message "Error establishing trust with ISE: Expected failure phrase received: Trust establishment Operation Failed. Check ISE node role or whether remote server 10.216.17.64 is reachable"

 

10.216.17.64 is the Virtual IP, 10.216.17.65 is the node IP. But I cannot connect on the DNA controller using the VIP, neither ISE. Yet DNAC is sending that IP. This is a standalone setup.

 

How can I either bring up the VIP or force the use of the node IP rather than VIP?

 

Thanks for your help.

 

Cedric

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tomas de Leon
Cisco Employee
Cisco Employee

‎11-11-2018 03:10 PM

Note: You can use symbolic IPs for my question but I need to understand your setup.

 

How many NICs are configured on your ISE?  

What are there IPs on eth0 & eth1 (if used)? 

Which IP do you use for accessing the ISE UI?

 

For the DNAC, How many Network Interfaces did you configure?

What are the IP addresses for enp10s0, enp1s0f0, enp1s0f1, and enp9s0?   Which interface is the Clusterlink?

You typically have 2 or 3 interfaces for the DNAC which would require 3 VIPs with the latest release?

If you are only using a single NIC, you do not have to configure a VIP.  If you plan to grow this into a 3 node cluster then you would want to configure this DNAC as the primary node in the cluster.  So you would most likely configure 3 NICs with 3 VIPs.

 

You can refer to my IP Address Planning worksheet for more details:

Technote of the Day (TOTD) - DNAC IP Address Planning Worksheet
https://community.cisco.com/t5/network-architecture-documents/totd-dnac-ip-address-planning-worksheet/ta-p/3695458

 

Regards

 

T.

 

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Tomas de Leon
Cisco Employee
Cisco Employee

‎11-11-2018 03:10 PM

Note: You can use symbolic IPs for my question but I need to understand your setup.

 

How many NICs are configured on your ISE?  

What are there IPs on eth0 & eth1 (if used)? 

Which IP do you use for accessing the ISE UI?

 

For the DNAC, How many Network Interfaces did you configure?

What are the IP addresses for enp10s0, enp1s0f0, enp1s0f1, and enp9s0?   Which interface is the Clusterlink?

You typically have 2 or 3 interfaces for the DNAC which would require 3 VIPs with the latest release?

If you are only using a single NIC, you do not have to configure a VIP.  If you plan to grow this into a 3 node cluster then you would want to configure this DNAC as the primary node in the cluster.  So you would most likely configure 3 NICs with 3 VIPs.

 

You can refer to my IP Address Planning worksheet for more details:

Technote of the Day (TOTD) - DNAC IP Address Planning Worksheet
https://community.cisco.com/t5/network-architecture-documents/totd-dnac-ip-address-planning-worksheet/ta-p/3695458

 

Regards

 

T.

 

 

0 Helpful

Go to solution
Ceds
Level 1
Level 1
In response to Tomas de Leon

‎11-11-2018 11:04 PM

Hi Tomas,

 

Thanks! That sentence made my day:

@Tomas de Leon wrote:

 

...

If you are only using a single NIC, you do not have to configure a VIP.

...

I don't know where it came from but I was persuaded that I had to provide VIP addresses for every configured interface, even if I was not planning to cluster the solution. So I was always filling those addresses in the wizard.

 

Apparently, if a VIP is configured for the enterprise NIC it is communicated to the ISE server even if the VIP is down.

Once I removed the VIPs the address sent to ISE was the node address and the config went smoothly.

 

I should have asked earlier :-p

 

I had already seen your TOTD and it was helpful in preparing the addressing schema.

 

Thanks again,

 

Cédric

 

 

 

Go to solution
NathanNielsen2282
Level 1
Level 1

‎02-13-2019 10:41 AM - edited ‎02-14-2019 08:40 AM

One of our engineers just ran into the same situation, but went about fixing it a different way.  Even though this was a single node deployment (for now) VIPs were used for both the Cluster and the Enterprise links since the documentation states this is a requirement starting with 1.2.6.  However, the customer removed the cable to the cluster link since this was a single node deployment, which left the interface in an up/down state, which ultimately resulted in DNAC shutting down the VIP to the Enterprise port because the Cluster link was up/down.

 

 

Rather than removing the VIP on the Enterprise port, we chose to connect the cable back to the Cluster port to bring the interface back to an up/up state, which ultimately resulted in the VIP on the Enterprise port coming back up and everything working fine.

 

 

We chose option 2 since there is always the chance the customer could add nodes to the cluster, and I am pretty sure the cluster configs cannot be changed once the wizard has completed without blowing away the entire config and starting from scratch.  

0 Helpful

Go to solution
ah_xsmunic
Level 1
Level 1

‎02-26-2019 08:45 PM

Hi Cedric,

Can you share how to remove the virtual ip address?

Thanks,
Ardi
0 Helpful

Go to solution
Ceds
Level 1
Level 1
In response to ah_xsmunic

‎02-26-2019 10:41 PM

Hi,

I just restarted the console wizard with the maglev account and removed the virtual IP.

It completed without error.

 

I hope it helps.

 

++

C.

0 Helpful

Go to solution
ah_xsmunic
Level 1
Level 1
In response to Ceds

‎02-26-2019 10:59 PM

Hi Cedric,

Thanks for the reply. Previously I tried to use the Maglev config wizard using SSH but it returns error. Tried again using direct console to the DNAC server and the wizard completed successfully.

Thanks,
Ardi
0 Helpful

Go to solution
zozo22
Level 1
Level 1
In response to ah_xsmunic

‎03-12-2019 12:37 PM

Once I removed the VIPs the address sent to ISE was the node address and the config went smoothly.   https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/

 

I should have asked earlier :-p

0 Helpful

Go to solution
venkr@cisco.com
Cisco Employee
Cisco Employee
In response to ah_xsmunic

‎03-18-2019 05:43 PM

you may run "sudo maglev-config update" on the CLI and follow the wizard screens to update the vIP config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents