Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
51840
Views
215
Helpful
51
Replies

ISE 2.6 alarm "Queue Link Error"

Go to solution
merylmohan
Level 1
Level 1

‎04-29-2019 01:37 AM

Hi ,

 

ISE 2.6 gives the alarm "Queue Link Error"

 

Description says : 

"Please check and restore connectivity between the nodes. Ensure that the nodes are up and running. Ensure that ISE Messaging Service ports are not blocked by firewall. Please note that these alarms could occur between nodes, when the nodes are being registered to deployment or manually-synced from PPAN or when the nodes are in out-of-sync state or when the nodes are getting restarted"
 

All nodes are Up and Completely synced and has been up and running for more than 2 months. We have not restarted or resynced any of the nodes recently

 

Any ideas why we see this error?

8 people had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-29-2019 08:10 AM - edited ‎04-29-2019 08:12 AM

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528

View solution in original post

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to ferenc.vissers

‎11-20-2019 03:10 AM

Hi @ferenc.vissers ,

 

Please check if the CA service is running. Sample output from my lab:

 

ise101/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 2427
Database Server running 106 PROCESSES
Application Server running 50634
Profiler Database running 4738
ISE Indexing Engine running 52494
AD Connector running 13555
M&T Session Database running 4547
M&T Log Processor running 9849
Certificate Authority Service running 13302

 

You can also go to Certificates -> Certificate Authority -> Internal CA settings and check if it shows running.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

51 Replies 51

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-29-2019 08:10 AM - edited ‎04-29-2019 08:12 AM

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528

Go to solution
Iulian
Level 1
Level 1
In response to hslai

‎09-09-2019 06:53 AM

Hi guys,

 

We have same problem - version 2.6.0.156, Patch2 - not service impacting but customer has access to ISE portal + also getting the emails from ISE with the alert.

****************************************************

Alarm Name :

Queue Link Error

 

Details :

Queue Link Error: Message=From ISE2 To ISE1; Cause={tls_alert;"unknown Ca"}

 

Description :

The queue link between two nodes in the ISE deployment is down.

****************************************************

Both nodes are up and in sync, certs present.

 

Is there a known fix?

 

Regards

0 Helpful

Go to solution
jaime.pedraza
Level 1
Level 1
In response to Iulian

‎11-09-2021 08:42 AM

Hi Lulian,

 

Recently I found this issue due to additional certificates issued (customer changed the name of some nodes). I deleted the extra certificates and everything seems to work now. Take a look of the CA certificates.

0 Helpful

Go to solution
cciesec2011
Level 3
Level 3
In response to hslai

‎09-26-2019 08:44 AM

@hslai wrote:

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528

The issue is NOT resolved.  the bug ID stated that the issue is resolved in version 2.6 patch 2.  Guess what, I am getting the same message and I am running version 2.6 patch 2:

 

Queue Link Error: Message=From ise1.webcast.com To ise2.webcast.com; Cause={tls_alert;"unknown Ca"}
 

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to cciesec2011

‎09-26-2019 09:06 AM

@cciesec2011 wrote:
@hslai wrote:

It seems you already engage Cisco TAC support. If so, please continue working with the support that way.

I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528

The issue is NOT resolved.  the bug ID stated that the issue is resolved in version 2.6 patch 2.  Guess what, I am getting the same message and I am running version 2.6 patch 2:

 

Queue Link Error: Message=From ise1.webcast.com To ise2.webcast.com; Cause={tls_alert;"unknown Ca"}
 

You will need to escalate through TAC and make them aware. this forum is not for troubleshooting. For more information on getting help from the community, please visit https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

 

0 Helpful

Go to solution
randomuser
Level 1
Level 1
In response to hslai

‎10-21-2019 06:04 AM - edited ‎10-21-2019 06:07 AM

Hi,

 

when a new installation of an ISE 2.6 is made and patch 2 is installed, which should fixe the bug, in my case the bug appears again.
The described workaround also contains a wrong statement. There is no usage "ISE Root CA". If usage "Admin" is selected, which is most likely the case, the bug persists.

 

Is there another workaround or deadline for patch 3 that will hopefully resolve this? I'm also waiting for Patch 3 to fix the delivery of the certificate chain (similar to ISE 2.4 Patch 10: CSCvp75207).

 

Regards

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to randomuser

‎10-22-2019 01:03 AM

We are hoping in November to have patch 3 but cannot confirm timeline as subject to change. If critical please out through TAC and explain situation
0 Helpful

Go to solution
randomuser
Level 1
Level 1
In response to Jason Kunst

‎10-22-2019 05:21 AM

Thanks for the quick answer. Curious was also the content in the internal CA. Here was the ISE Root CA, Sub CA, Endpoint CA, ... listed several times.

 

We decided to uninstalled patch 2, then install patch 1 and then patch 2, again. Currently the bug has disappeared. Hopefully also permanently.

 

Regards

0 Helpful

Go to solution
randomuser
Level 1
Level 1
In response to randomuser

‎10-23-2019 04:12 AM - edited ‎10-25-2019 02:17 AM

Update to my post.

 

the solution was not permanent. We will do a rollback of patch 2 and maybe go to patch 1 and hope that this works. With rollback to ISE 2.6 without patch and reinstallation of patch 1 and 2 it lasts only one day without error.

 

Installation steps performed:

1. Setup 2x ISE 2.6 VMS with ISO "ise-2.6.0.156.SPA.x86_64.iso 18-Feb-2019"
2. Configuring the ISE environment with importing a backup of previous installation and making customizations

3. Sign CSR for Admin and EAP usage with internal PKI for ISE01 and ISE02

4. Apply Patch 2 "ise-patchbundle-2.6.0.156-Patch2-19072502.SPA.x86_64.tar.gz 26-Jul-2019" (updated Post. Patch 2 was installed before the node registration)

5. Register (by the way successfully with no error) Node ISE02 do Admin Node ISE01
6. "Queue Link Error" after a few hours.

 

Regards

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to randomuser

‎10-24-2019 12:35 AM

great thank you, please work with TAC
0 Helpful

Go to solution
ferenc.vissers
Level 1
Level 1
In response to Jason Kunst

‎11-12-2019 06:08 AM

Patch 3 installed, no luck here.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to ferenc.vissers

‎11-18-2019 01:09 PM

Not a guarantee, but I had this bug after a fresh install with Patch 3.

 

Here is what fixed mine. The bug workaround is not the best description, but below is more detailed.

 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred

 

Go to Certificates > Certificate Signing Request

Change the drop down from Multi-Use to ISE Root CA

This will change the form to just a button to replace the ISE Root CA chain. This did not cause a reboot.

 

This fixed the queue link error, live logs, and node status.

Go to solution
ferenc.vissers
Level 1
Level 1
In response to Dustin Anderson

‎11-19-2019 12:10 AM

Hi,

 

Thnx, but what if there is no option 'ISE Root CA'?

ISE.jpg

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to ferenc.vissers

‎11-19-2019 01:47 PM

The solution proposed by @Dustin Anderson worked for me too.

 

To replace the ISE Internal CA cert, you need to create a signing request (yeah it's a bit weird to create a request that is fulfilled by the requester ...)

 

self-signed.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents