Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2223
Views
0
Helpful
3
Replies

After upgrade to 2.6 CA process not starting

Go to solution
ksastoqu
Cisco Employee
Cisco Employee

‎08-01-2019 07:13 AM

After upgrading to v2.6 on primary node, Certificate Authority Service is running well. While on secondary node, Certificate Authority Service cannot initiate.

 

In v2.4, Certificate Authority Service  was running well on both nodes.

 

ISE PROCESS NAME                       STATE            PROCESS ID
--------------------------------------------------------------------
Database Listener                      running          2608
Database Server                        running          119 PROCESSES
Application Server                     running          11194
Profiler Database                      running          5251
ISE Indexing Engine                    running          13422
AD Connector                           running          19174
M&T Session Database                   running          5013
M&T Log Processor                      running          11417
Certificate Authority Service          initializing
EST Service                            not running
SXP Engine Service                     disabled
Docker Daemon                          running          6395
TC-NAC Service                         disabled

We have tried restarting the application many times (stop/start), but same result.

 

We tried this 

 https://community.cisco.com/t5/identity-services-engine-ise/error-message-quot-est-service-not-running-quot-since-upgrade-to/td-p/3484698

But customer does not have Plus License to generate CSR. (EST service is also not running).

 

 

 

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-06-2019 10:32 AM

Please try recreating and engaging our ISE ESC team, if needed. CSCvj11319 is not a known issue for ISE 2.6.

ISE Plus licenses are not required to run ISE CA services, as to support session exchanges via pxGrid for Cisco subscribers.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-06-2019 10:32 AM

Please try recreating and engaging our ISE ESC team, if needed. CSCvj11319 is not a known issue for ISE 2.6.

ISE Plus licenses are not required to run ISE CA services, as to support session exchanges via pxGrid for Cisco subscribers.

0 Helpful

Go to solution
dave.devries
Level 1
Level 1
In response to hslai

‎12-20-2019 09:54 AM

Actually, Plus license is required for internal CA between two ISE nodes.  Unfortunately, that does not solve this problem.

0 Helpful

Go to solution
mattvoon91
Level 1
Level 1
In response to hslai

‎03-26-2020 03:27 AM

So regenerating the ISE root cert will solve the issue? 

Will regenereating the cert impact the registration of the 2 ISE node?

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents