cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2616
Views
5
Helpful
23
Replies
Highlighted
Beginner

ISE 2.6 alarm "Queue Link Error"

Hi ,

 

ISE 2.6 gives the alarm "Queue Link Error"

 

Description says : 

"Please check and restore connectivity between the nodes. Ensure that the nodes are up and running. Ensure that ISE Messaging Service ports are not blocked by firewall. Please note that these alarms could occur between nodes, when the nodes are being registered to deployment or manually-synced from PPAN or when the nodes are in out-of-sync state or when the nodes are getting restarted"
 

All nodes are Up and Completely synced and has been up and running for more than 2 months. We have not restarted or resynced any of the nodes recently

 

Any ideas why we see this error?

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ISE 2.6 alarm "Queue Link Error"

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528

View solution in original post

Cisco Employee

Re: ISE 2.6 alarm "Queue Link Error"

Hi @ferenc.vissers ,

 

Please check if the CA service is running. Sample output from my lab:

 

ise101/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 2427
Database Server running 106 PROCESSES
Application Server running 50634
Profiler Database running 4738
ISE Indexing Engine running 52494
AD Connector running 13555
M&T Session Database running 4547
M&T Log Processor running 9849
Certificate Authority Service running 13302

 

You can also go to Certificates -> Certificate Authority -> Internal CA settings and check if it shows running.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

23 REPLIES 23
Cisco Employee

Re: ISE 2.6 alarm "Queue Link Error"

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528

View solution in original post

Beginner

Re: ISE 2.6 alarm "Queue Link Error"

Hi guys,

 

We have same problem - version 2.6.0.156, Patch2 - not service impacting but customer has access to ISE portal + also getting the emails from ISE with the alert.

****************************************************

Alarm Name :

Queue Link Error

 

Details :

Queue Link Error: Message=From ISE2 To ISE1; Cause={tls_alert;"unknown Ca"}

 

Description :

The queue link between two nodes in the ISE deployment is down.

****************************************************

Both nodes are up and in sync, certs present.

 

Is there a known fix?

 

Regards

Participant

Re: ISE 2.6 alarm "Queue Link Error"


@hslai wrote:

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528


The issue is NOT resolved.  the bug ID stated that the issue is resolved in version 2.6 patch 2.  Guess what, I am getting the same message and I am running version 2.6 patch 2:

 

Queue Link Error: Message=From ise1.webcast.com To ise2.webcast.com; Cause={tls_alert;"unknown Ca"}
 
Cisco Employee

Re: ISE 2.6 alarm "Queue Link Error"


@cciesec2011 wrote:

@hslai wrote:

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528


The issue is NOT resolved.  the bug ID stated that the issue is resolved in version 2.6 patch 2.  Guess what, I am getting the same message and I am running version 2.6 patch 2:

 

Queue Link Error: Message=From ise1.webcast.com To ise2.webcast.com; Cause={tls_alert;"unknown Ca"}
 

You will need to escalate through TAC and make them aware. this forum is not for troubleshooting. For more information on getting help from the community, please visit https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

 

Beginner

Re: ISE 2.6 alarm "Queue Link Error"

Hi,

 

when a new installation of an ISE 2.6 is made and patch 2 is installed, which should fixe the bug, in my case the bug appears again.
The described workaround also contains a wrong statement. There is no usage "ISE Root CA". If usage "Admin" is selected, which is most likely the case, the bug persists.

 

Is there another workaround or deadline for patch 3 that will hopefully resolve this? I'm also waiting for Patch 3 to fix the delivery of the certificate chain (similar to ISE 2.4 Patch 10: CSCvp75207).

 

Regards

Cisco Employee

Re: ISE 2.6 alarm "Queue Link Error"

We are hoping in November to have patch 3 but cannot confirm timeline as subject to change. If critical please out through TAC and explain situation
Beginner

Re: ISE 2.6 alarm "Queue Link Error"

Thanks for the quick answer. Curious was also the content in the internal CA. Here was the ISE Root CA, Sub CA, Endpoint CA, ... listed several times.

 

We decided to uninstalled patch 2, then install patch 1 and then patch 2, again. Currently the bug has disappeared. Hopefully also permanently.

 

Regards

Beginner

Re: ISE 2.6 alarm "Queue Link Error"

Update to my post.

 

the solution was not permanent. We will do a rollback of patch 2 and maybe go to patch 1 and hope that this works. With rollback to ISE 2.6 without patch and reinstallation of patch 1 and 2 it lasts only one day without error.

 

Installation steps performed:

1. Setup 2x ISE 2.6 VMS with ISO "ise-2.6.0.156.SPA.x86_64.iso 18-Feb-2019"
2. Configuring the ISE environment with importing a backup of previous installation and making customizations

3. Sign CSR for Admin and EAP usage with internal PKI for ISE01 and ISE02

4. Apply Patch 2 "ise-patchbundle-2.6.0.156-Patch2-19072502.SPA.x86_64.tar.gz 26-Jul-2019" (updated Post. Patch 2 was installed before the node registration)

5. Register (by the way successfully with no error) Node ISE02 do Admin Node ISE01
6. "Queue Link Error" after a few hours.

 

Regards

Cisco Employee

Re: ISE 2.6 alarm "Queue Link Error"

great thank you, please work with TAC
Beginner

Re: ISE 2.6 alarm "Queue Link Error"

Patch 3 installed, no luck here.

Contributor

Re: ISE 2.6 alarm "Queue Link Error"

Not a guarantee, but I had this bug after a fresh install with Patch 3.

 

Here is what fixed mine. The bug workaround is not the best description, but below is more detailed.

 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred

 

Go to Certificates > Certificate Signing Request

Change the drop down from Multi-Use to ISE Root CA

This will change the form to just a button to replace the ISE Root CA chain. This did not cause a reboot.

 

This fixed the queue link error, live logs, and node status.

Beginner

Re: ISE 2.6 alarm "Queue Link Error"

Hi,

 

Thnx, but what if there is no option 'ISE Root CA'?

ISE.jpg

 

VIP Advocate

Re: ISE 2.6 alarm "Queue Link Error"

The solution proposed by @Dustin Anderson worked for me too.

 

To replace the ISE Internal CA cert, you need to create a signing request (yeah it's a bit weird to create a request that is fulfilled by the requester ...)

 

self-signed.png

Beginner

Re: ISE 2.6 alarm "Queue Link Error"

Hi,

 

Am I missing something?

 

ISE.png