11-06-2018 10:18 AM
I am trying to cluster two ISE Nodes for primary and secondary.
I am not sure if the issues are related to the fact that each node has a different FQDN as in they don't have the same suffix. One is domainA.com and the other is domainB.com. I am not sure thats an issue since we have a cross forest trust. The primary is joined to the domain, the secondary is not. I have exported and imported the self signed cert from secondary and imported into primary. The sync is unsuccessful. Do I need to join the secondary to the domain joint point before registering secondary node?
Solved! Go to Solution.
11-14-2018 08:25 AM
Engaging TAC and it was an issue with my ISE version and the bringing it up to the latest Patch 10 fixed the issue.
11-06-2018 11:50 AM
Hey there,
Joining two ISE nodes in a cluster has nothing to do with AD membership. Let's call the primary node N1, and the secondary node N2.
When you register a node to N1, you are asked to accept N'2 public cert (admin role) and supply the admin credentials of N2. N2 is then added to the deployment after restarting automatically.
This can be done without any external identity source whatsoever. This of course assumes you don't have the relevant ports blocked between the two nodes, that you know the credentials of N2, and that if you previously joined a server with N2's FQDN to the deployment that you delete its cert from the Trust store of N1 so that it can accept the new cert with the same FQDN.
11-06-2018 12:36 PM
As noted in previoud comnent What I can add is to give us any specific output like what are you seeing exactly and the ad has nothing to do with their sync if they have a trusted certificate for both and both of them can resolve each other then things should be fine
11-06-2018 12:39 PM
So i need to export and import the self cert on each for each?
11-06-2018 12:41 PM
Export it as public key alright like only export the certificate and import it on the trusted certificate store
then proceed with joining them
now make sure from cli to test the DNs resolution and connectivity
let me know how it goes
11-06-2018 12:45 PM
I only exported the cert from Node 2 and imported into Node 1 trusted store.
Do i need to export out of Node 1 and import into Node 2?
11-06-2018 12:46 PM
Exactly mutual authentication that's what will happen
11-06-2018 02:11 PM
I've never had to do import and export between the two manually, you simply register N2 to N1 from the "Deployment" menu, are asked to accept N2's public certificate and provide N2's FQDN and admin credentials, and pick N2's persona as you see fit.
The chapter "Register a Secondary Cisco ISE Node" in the following link explains this perfectly:
Just keep in mind that it'll take anywhere from 20 minutes until half an hour until N2 fully syncs up, and it will undergo a reset during that time. You may want to access N1 via SSH during this time and run "show logging application deployment.log tail" just to see how things are coming along.
11-06-2018 02:28 PM
I never get a prompt to accept any kind of cert, it just tells me that it failed on cert validation or something like that.
i can get it to register and it starts to sync but then fails after a few hours. What logs can I look at?
11-06-2018 02:33 PM
11-06-2018 02:38 PM
this is the trusted cert store on Node 1 (primary).
Node 2 is CENPINFISE01
11-06-2018 02:53 PM
In my opinion the safest bet is:
1) Remove N2 and N1's Trusted certificates from each other
2) Make sure both N1 and N2 are resolveable by DNS to one another (actually ping each other's FQDN from SSH)
3) Make sure the traffic between N1 and N2 isn't blocked by a firewall or whatnot.
4) Add N2 from the deployment screen of N1. First thing you should get is a big popup asking you to accept N2's certificate, then you provide N2's admin credentials, then you pick the personas.
Take a look at the link I provided you earlier. And you should upload the screenshot of the error you receive, if any.
11-06-2018 07:50 PM
11-07-2018 05:45 AM
I am running 2.2 so no auto cert enrollment.
After the sync begin, a few hours later this was the message:
The two servers are across the WAN and the firewalls are allowing IP any from each node to each other.
11-07-2018 10:57 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: