Solved: Automatic AD Failover on Error and Failure?

bilclay · ‎05-17-2018

Do any features exist, or are any planned to detect an issue with a connected AD Domain Controller and failover if a problem arises but connection remains intact? I know ISE will fail back to another DC upon connection failure but what about an error state such as:

Error Name: LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP

Error Code: 41744

I have heard of an enviroment where this condition did not cause DC failover however authentications were failing. Is this normal operation?

hslai · ‎05-21-2018

CSCux24687 is addressed in ISE 1.4 Patch 9, 2.0.0 Patch 4, 2.0.1 Patch 1, and 2.1+ releases. Other than that one, we need to gather the specific requirements from the customers and then evaluate. Yes, it's best to discuss with our product management team.

View solution in original post

hslai · ‎05-18-2018

This error is seen in CSCvf71029, which is duplicate to CSCvf75225.

If the deployment already has the latest patch or a patch release with the fix for CSCvf75225, then please engage Cisco TAC to gather more debug logs.

bilclay · ‎05-21-2018

Hsing, Thanks for the bug information as that will need to be fixed but my question was a bit deeper.

Q) When bugs like this occur can we trigger AD failover today just based on authentication failure? Today we have AD failover if AD is down but my customer wants AD failover if a bug exists that stops authentication... any ideas? If not I will submit a feature request if you agree that this could be a useful feature or feel free to email if you want to take it offline (CiscoID bilclay)

hslai · ‎05-21-2018

CSCux24687 is addressed in ISE 1.4 Patch 9, 2.0.0 Patch 4, 2.0.1 Patch 1, and 2.1+ releases. Other than that one, we need to gather the specific requirements from the customers and then evaluate. Yes, it's best to discuss with our product management team.