cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

95
Views
0
Helpful
3
Replies
Beginner

ISE PSN Failover

Hi, we have a 2 node ISE deployment with authentication requests going to ISE1. This is configured for multiple different connection types and all works as expected. However, when I test the PSN failover by removing ISE1 from the network I have issues with wired DOT1X connections (EAP-TLS). In the logs I am seeing attempts to ISE2 but the following error:

 

5440 Endpoint abandoned EAP session and started new

 

I have tried resetting the client NIC / rebooting and removing the client from ISE but still experience the same problem.

 

When I bring ISE1 back online everything works again as it should.

 

Any help on this would be appreciated.

 

Thanks

Terry

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: ISE PSN Failover

The most common cause would be a certificate issue. Do the PSN certificates match on both nodes? Typically we would have a single certificate with SANs for each node.

Are you using native supplicant? If so do you have "Verify the server's identity..." (certificate matching) checked in the supplicant configuration? See step 9 here:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-431024936

3 REPLIES 3
Hall of Fame Master

Re: ISE PSN Failover

The most common cause would be a certificate issue. Do the PSN certificates match on both nodes? Typically we would have a single certificate with SANs for each node.

Are you using native supplicant? If so do you have "Verify the server's identity..." (certificate matching) checked in the supplicant configuration? See step 9 here:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-431024936

Highlighted
Beginner

Re: ISE PSN Failover

Hi Marvin
Thanks for your reply.
Each node has its own certificate issued by the CA hierarchy with its FQDN in the CN, the SAN option is not being used.
The identity certificate on both nodes have the EAP service associated and both have the correct CA root / chain installed.
I'm just double checking the Windows native supplicant, but would expect this to be ok as we don't have a problem with connections to ISE1.
I can't see a problem with the above setup, but am I missing something with regards to the SAN option?
Thanks
Terry

Cisco Employee

Re: ISE PSN Failover

Check the step section of the auth details report and see how far it got. You might also need debugging on the client side. Or, restart ISE services on the second node. Please engage Cisco TAC if you need help troubleshooting it further.