05-19-2023 08:10 AM
I am running ISE 3.0 patch-3. For the past two weeks, I see this message in ISE from one of my PSN nodes
AD Connector had to be restarted. Server=isepsn1
The tcpdump on the network showed that the rst package come from the Active Directory server at the exact time I see this message in ISE. Is this an issue with ISE or ADs? Thoughts?
Solved! Go to Solution.
05-19-2023 08:30 AM - edited 05-19-2023 08:31 AM
I would probably install the latest patch for 3.0 before spending too much time troubleshooting. Patch 3 is quite old at this point.
05-19-2023 09:08 PM
Hi @adamscottmaster2013 ,
please try to find a clue by "debugging" the ad_agent.log:
. GUI:
Administration > System > Logging > Debug Log Configuration > select the PSN > Active Directory from Warn to Debug or Trace.
. CLI:
ise/admin# show logging application ad_agent.log
Hope this helps !!!
05-25-2023 07:44 AM
@ahollifield: Yes, my ISE 3.2 patch-2 does NOT have issue with joining Active Directory. It joins just fine and I can also test the user. However, when I attempted to create a wireless guest user with AD credential, I didn't see any communications between ISE and AD servers. Yes, I have multiple tickets open with TAC on many issues regarding ISE 3.2, and they are very slow in responding so far.
05-19-2023 08:30 AM - edited 05-19-2023 08:31 AM
I would probably install the latest patch for 3.0 before spending too much time troubleshooting. Patch 3 is quite old at this point.
05-19-2023 09:56 AM - edited 05-19-2023 09:58 AM
@ahollifield : you sound like true Cisco TAC engineer with the "upgrade to the latest patch" comment instead of trying to figure out what the issue is, LOL....
05-19-2023 10:05 AM
lol they do have a point though. Patch 3 was released July 27, 2021 so almost two full years ago. That's an ancient time in software lifecycle with zero vulnerability or bug fixes. Within that timeframe two new major releases of ISE have also been released.
05-19-2023 11:39 AM - edited 05-19-2023 11:39 AM
LOL...Yes, but ISE 3.2 is severely "broken" and not too many people are using it
You don't know if upgrading to the latest patch will fix the issue instead of investigating the actual issue and confirm whether the latest patch will fix it. Not hoping the latest patch will fix it.
05-19-2023 12:04 PM
Can you elaborate on "Severely broken"? I know of several deployments running 3.2 Patch 1 expressly for the Azure AD integration for EAP-TLS authorization without issue.
That's true I don't know that; I'm just offering a potential fix that might save time troubleshooting. Its something that should be done anyways...
05-25-2023 04:46 AM
@ahollifield: Severely broken as: 1- Integration with Active Directory doesn't work; 2- External authentication with radius server (the external radius is another Cisco ISE) does not work; 3- ssh stops working for no reason (tcpdump showed ssh requests get to the ISE server but no ssh reply). I am sure there are other things that are not working but I am still stuck on item #1 and #2 because it is a show stopper for me so far.
05-25-2023 05:50 AM
Interesting do you have TAC cases open for these? I have several 3.2 deployments joined to on-prem AD without issue. I haven't tested the external RADIUS sever configuration on 3.2 but I am curious on the the use-case for relaying to another ISE deployment. Is this for a migration?
05-25-2023 07:44 AM
@ahollifield: Yes, my ISE 3.2 patch-2 does NOT have issue with joining Active Directory. It joins just fine and I can also test the user. However, when I attempted to create a wireless guest user with AD credential, I didn't see any communications between ISE and AD servers. Yes, I have multiple tickets open with TAC on many issues regarding ISE 3.2, and they are very slow in responding so far.
05-19-2023 09:08 PM
Hi @adamscottmaster2013 ,
please try to find a clue by "debugging" the ad_agent.log:
. GUI:
Administration > System > Logging > Debug Log Configuration > select the PSN > Active Directory from Warn to Debug or Trace.
. CLI:
ise/admin# show logging application ad_agent.log
Hope this helps !!!
09-29-2023 02:25 PM
A colleague of mine opened a TAC case with Cisco for this exact issue and the TAC is not very helpful. It looks like not even TAC is very knowledgable with this product. Cisco's response: please upgrade to patch-8.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide