Can't access ISE secondary node via CLI / GUI after joining deployment

Ryan H · ‎02-05-2024

Hey gang! I'm running into a strange deployment issue in my lab. Using ISE 3.2 Patch 4. The primary server is running fine as PAN/PSN/MNT. When I try to add a secondary server to the deployment, it is added successfully and the status of the new server shows up as green on the deployment page. However, after that point I can no longer login to the secondary via GUI or CLI. When I try via GUI, there is no web page presented and I just get TCP RST from the server. When I try to log into the CLI, it accepts the credentials but immediately logs me out. It also will not process AAA requests from NADs. I've tried rebuilding the secondary and repeating the whole process, and got the same results again. Any ideas? Thanks!

Greg Gibbs · ‎02-05-2024

You might be hitting this bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi33361

Your best bet would be to open a TAC case to confirm if this is the issue and, if so, see if they have a hotfix available (since there is no patch available yet with the bug fix).

Ryan H · ‎02-06-2024

Thanks Greg. TAC support would be tricky as this is a lab environment. However, the description of this bug doesn't quite fit... it suggests the GUI is accessible (which in my case it is not,) and also the specific error wording for the bug, "Failed to connect to ConfD: Connection refused" suggests a flat-out rejection of the SSH connect attempt. In my case the SSH/console session connects fine, but it is immediately disconnected after successful authentication. Interestingly, if I intentionally supply the wrong password upon connection attempt, I'm re-prompted to put in the pw multiple times. It's only when I put in the correct pw that the session is established and then immediately disconnected again.