cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

872
Views
0
Helpful
5
Replies
Highlighted
Beginner

IP name Servers

We recently had an issue where our primary ip name server's dns stopped responding. However the ISE node did not fail over to the secondary name servers and broke all users in the child domain that was no long resolving. Is there a way to help ISE fail over to secondary name servers for DNS?

We waited for our server team to address the issue and then everything started working.

Thanks!

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IP name Servers

Hi Chris

The OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary.  So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the secondary.

Chris

View solution in original post

5 REPLIES 5
Cisco Employee

Re: IP name Servers

ISE should have failed over if there were no DNS response. What version of ISE did you see the behavior? Also, was the primary DNS server truly down as in not responding to DNS request, or is it possible the DNS server was still responding, but without proper response?

Beginner

Re: IP name Servers

According to our Systems guys the dns zone file was not set up correctly on the primary dns name server for the node.

I was able to traceroute from the node to the domain controller and ping the domain controller but the dns was failing for the child.domain.com.

This was the message that I received from the primary name server

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

The secondary and tertiary dns name servers were set up correctly and provided the correct ip address for the child.domain.com.

In the Active Directory Diagnostic Tool it was unable to locate the domain controller for the child domain in question and all tests failed. Once our system team updated the primary dns server for the node everything started working again.

Very weird behavior indeed.

ISE 2.0.306 patch 3

Contributor

Re: IP name Servers

There is a difference between the DNS server was misconfigured and the DNS server was down. If the server was up but misconfigured, it is very likely the secondary server would not be used.

George

Cisco Employee

Re: IP name Servers

Hi Chris

The OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary.  So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the secondary.

Chris

View solution in original post

Beginner

Re: IP name Servers

Hi Chris,

Thank you, that does make sense of how the fail-over works.

Chris