cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3279
Views
1
Helpful
4
Replies
Cisco Employee

Reverse DNS with Context Visibility

Team,

I have a customer that has installed multiple distributed ISE deployments across the nation. Each deployment contains nodes from several different states and my customer has strong concerns with configuring reverse DNS pointer records across their nationwide infrastructure which includes many separate subnets. All total, there are 270 nodes. Configuring Reverse DNS is recommended in the in ISE admin guides but without configuring it, there does not seem to be an impact to normal RADIUS authentications, replication between nodes or joining nodes to the deployment. However, if we try to examine endpoints or devices under the context visibility menu of 2.2 patch 5, we receive the following error.

Unable to load Context Visibility page. Ensure that reverse DNS lookup is configured for all Cisco ISE nodes in your distributed deployment in the DNS server. Exception: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];

We further document the need for reverse DNS in the release notes: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html#pgfId-700468.

Additionally, I understand that elastic search needs reverse DNS configured for each host in the deployment in order to work properly but do we have any enhancements on the roadmap whereby we won't rely on reverse DNS? Are there any other solutions apart from configuring reverse DNS?

Thank you,

Thomas

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Reverse DNS with Context Visibility

The current implementation mandates DNS PTR records for the ISE admin nodes for the underlying data store of context visibility. There is no other way around for ISE deployments with two PANs.

Perhaps, you may limit the resolution for the DNS servers used by the two PANs.

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: Reverse DNS with Context Visibility

You may go ahead and file one, if you like. Please discuss any roadmap items directly with our PM team.

Highlighted
Cisco Employee

Re: Reverse DNS with Context Visibility

Thank you, are you aware of any solutions outside of configuring reverse DNS pointer records?

Highlighted
Cisco Employee

Re: Reverse DNS with Context Visibility

The current implementation mandates DNS PTR records for the ISE admin nodes for the underlying data store of context visibility. There is no other way around for ISE deployments with two PANs.

Perhaps, you may limit the resolution for the DNS servers used by the two PANs.

View solution in original post

Highlighted
Cisco Employee

Re: Reverse DNS with Context Visibility

Thank you for your inputs and speedy replies. I will reach out to the ISE PM team.