Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2016
Views
11
Helpful
3
Replies

DNA Externally Connected Systems: ISE Secondary in "Unavailable" state?

matty-boy
Level 1
Level 1

‎04-30-2020 07:44 AM

Hi,

I'm setting up DNA for a customer. Integrating ISE appeared to work fine and to begin with, everything looked perfect. But less than an hour later, the secondary ISE server is showing as "Unavailable" in the System 360 view:

 

dna-ise.png

 

Settings -> Authentication and Policy Servers looks fine, Status:ACTIVE

 

From DNAC, I can ping both ISE servers by IP and FQDN and I can telnet to ports 22, 80 and 443.

 

One thing to note: Primary ISE is on same site as DNA - definitely no firewalls in the path. Secondary ISE is on another site so there could be a firewall that is filtering traffic.

 

So, to my first question: Is there a list of all the ports that should be allowed between DNAC and ISE?

 

My second question: Can you think of any other reasons why the secondary ISE might be showing as unavailable if ports are not being filtered on the path?

 

Note: I would normally just raise a TAC case but there are contract issues at the moment so I can't.

 

Many thanks in advance,

Matt.

Labels:
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-30-2020 07:58 AM

So, to my first question: Is there a list of all the ports that should be allowed between DNAC and ISE?
-See here for the ports: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

My second question: Can you think of any other reasons why the secondary ISE might be showing as unavailable if ports are not being filtered on the path?
-Try logging into cli on ise 2 node, and run a #Show application status ise. Are the following processes running?:
pxGrid Infrastructure Service running 17444
pxGrid Publisher Subscriber Service running 17758
pxGrid Connection Manager running 17654
pxGrid Controller running 17812
In the ISE gui under Administration->pxGrid Services do you see towards the bottom something like this:
Connected via XMPP <ISE Node 1> (standby: <ISE Node 2>)
If services are down please confirm that pxgrid service is enabled on ISE node 2 via: Administration->System->Deployment-><ISE node>->General Settings.

If the ISE side looks good I would definitely look into the network path/ports. Good luck & HTH!

matty-boy
Level 1
Level 1
In response to Mike.Cifelli

‎04-30-2020 08:04 AM

Hi Mike,

Thank you for the link, that's exactly what I was after! I had already found that I can't telnet from DNAC to ISE02 on tcp/9060 for ERS so that's definitely one issue. But your link shows there are other ports required from DNAC to ISE too, namely 5222 and 8910 which are also being blocked so I'll get whoever manages the FW to make the required changes.

I'll reply again if when it's all sorted.

Cheers,

Matt.

0 Helpful

matty-boy
Level 1
Level 1
In response to matty-boy

‎05-04-2020 11:57 AM

Update: I was being an idiot. In ISE, I hadn't selected the checkbox for: “Enable ERS for Read for all other nodes”.

 

(ISE > Admin > System > Settings > ERS)

 

D'OH!

 

Cheers,

Matt.

Customers Also Viewed These Support Documents