cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

98
Views
3
Helpful
2
Replies
Beginner

Why is the PAN CA is not there?

Hi Forum,

I have 2 nodes a primary and a secondary. I'm deploying onboarding for byod but I'm having an issue where my primary PAN/PSN CA certs are not there. I check on the cli and the Cert authority service is running. See the attached image. the issue is that when users are redirected to the primary PSN for onboarding, the get an error regarding SSL session but when I disconnect the primary PSN and the user request goes to secondary PSN they work fine.

any advice is appreciated.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: Why is the PAN CA is not there?

Check the trust certificate store and verify if see the Root CA cert.  Depending on which node was Primary PAN at time of install, root CA may be on secondary PAN now.  You can create repository and run export internal CA certs from CLI (under 'application configure ise') and you will see all the cert certs and chain after export in CLI.  Check on both nodes.

2 REPLIES 2
Advocate

Re: Why is the PAN CA is not there?

Check the trust certificate store and verify if see the Root CA cert.  Depending on which node was Primary PAN at time of install, root CA may be on secondary PAN now.  You can create repository and run export internal CA certs from CLI (under 'application configure ise') and you will see all the cert certs and chain after export in CLI.  Check on both nodes.

Cisco Employee

Re: Why is the PAN CA is not there?

Adding to Craig's, it appears that your deployment's primary PAN changed the hostname before, because the common name of the root CA looks differently from either node.

As you are going to change the hostname again, I would suggest you to go ahead doing that and then replace the internal CA certificates, which will be single-root. See Generate Root CA and Subordinate CAs on the PAN and PSN