DNA Externally Connected Systems: ISE Secondary in "Unavailable" state?
I'm setting up DNA for a customer. Integrating ISE appeared to work fine and to begin with, everything looked perfect. But less than an hour later, the secondary ISE server is showing as "Unavailable" in the System 360 view:
Settings -> Authentication and Policy Servers looks fine, Status:ACTIVE
From DNAC, I can ping both ISE servers by IP and FQDN and I can telnet to ports 22, 80 and 443.
One thing to note: Primary ISE is on same site as DNA - definitely no firewalls in the path. Secondary ISE is on another site so there could be a firewall that is filtering traffic.
So, to my first question: Is there a list of all the ports that should be allowed between DNAC and ISE?
My second question: Can you think of any other reasons why the secondary ISE might be showing as unavailable if ports are not being filtered on the path?
Note: I would normally just raise a TAC case but there are contract issues at the moment so I can't.
My second question: Can you think of any other reasons why the secondary ISE might be showing as unavailable if ports are not being filtered on the path? -Try logging into cli on ise 2 node, and run a #Show application status ise. Are the following processes running?: pxGrid Infrastructure Service running 17444 pxGrid Publisher Subscriber Service running 17758 pxGrid Connection Manager running 17654 pxGrid Controller running 17812 In the ISE gui under Administration->pxGrid Services do you see towards the bottom something like this: Connected via XMPP <ISE Node 1> (standby: <ISE Node 2>) If services are down please confirm that pxgrid service is enabled on ISE node 2 via: Administration->System->Deployment-><ISE node>->General Settings.
If the ISE side looks good I would definitely look into the network path/ports. Good luck & HTH!
Thank you for the link, that's exactly what I was after! I had already found that I can't telnet from DNAC to ISE02 on tcp/9060 for ERS so that's definitely one issue. But your link shows there are other ports required from DNAC to ISE too, namely 5222 and 8910 which are also being blocked so I'll get whoever manages the FW to make the required changes.
(Pdf copy at the bottom)
Segmentation within SD-Access is enabled through the combined use of both Virtual Networks (VN), which are analogous to VRFs, and Cisco Scalable Group Tags (SGTs). VNs, like VRFs, provide comp...
The 2020 IT Blog Awards, hosted by Cisco, is now open for submissions through October 16. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco...
Hello,We have a pair of N3K-3064PQ-10GX and one of them acting as backup and we want to migrate from VyOS to it, we want to add 500x interface vlan and each interface vlan has its own ip/prefixes (for example /30 /29 ...) and we ahve 6-8x BGP session with...
We live in an age that is both thrilling and evolving substantially. A new trend/technology is always on rise even before the preceding has been used to its fullest potential. Although the concepts of digital transformation may seem over discussed, ...
Show CommandPurposeCiscoICX-RuckusShow Spanning tree infoShow spanning-treeshow 802-1wVerify Port-Channel / Link aggregation infosh lag briefsh etherchannel summaryShow CDC/LDP neighbor infoshow cdp neighbors detailsh lldp neighbors de sh mac a...