Solved: Re: Cisco ISE 2.6 Patch 7 "Queue Link Error; Cause = Timeout"

nikolaie · ‎07-21-2020

Hi Community,

We have an ISE deployment of two physical nodes (Primary, Secondary), ever since we patched the environment from 3 to 7 we are now getting "Queue Link Error: Message=From NODE1 To NODE2; Cause=Timeout". There are no firewalls or network connectivity issues between the nodes, their status is OK under Deployment, and all other features are working as expected.

I've tried restarting the nodes- no luck.

I've tried running a Syncup - no luck.

Your assistance would be appreciated. Thanks.

Massimo Baschieri · ‎07-29-2020

Unfortunately the instructionns I posted is all I had from tac.

It worked for me for a while, then the issue came back again, but since it's not breaking anything and in the mean time the tac case got closed I decided to give it up.

View solution in original post

marce1000 · ‎07-21-2020

- Issue show application status ise , make sure all services are running.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

nikolaie · ‎07-21-2020

Thank you for the quick response. I have confirmed that ISE Process on both nodes are running as expected. There are disabled processes but that because we are not using those features, i.e, CA Service, PassiveID service, etc. The services that were running prior to Patch 7 are the same services running now.

poongarg · ‎08-02-2020

Check if the TCP port 8671 is blocked between the nodes. If that is also not the case then enable debug logs for admin-ca, admin-infra, ca-service, infrastructure components, wait for the alarm to reoccur and check prrt-server.log, collector.log , ise-messaging.log and ise-psc.log for the same timestamp.

Massimo Baschieri · ‎07-21-2020

It's an issue related to certificates, from 2.6 patch 4 (I think) ise messaging service started to make use of certificates.

Below the instructions I had from tac in order to solve the issue:

kindly navigate to Administration => System => Certificates => Certificate Management => Certificate Signing Request (CSR).

* Generate CSR, then kindly choose ISE Root CA as the Usage, and then Replace ISE Root CA Certificate Chain.

* Once the ISE Root CA is done, please regenerate ISE Messaging Service Certificate for all the nodes.

You have to keep the internal CA enabled as it is responsible for the communication between the ISE nodes

nikolaie · ‎07-29-2020

Thank you for the provided instructions, unfortunately it has not resolved the issue, the error is still appearing. I confirmed the Internal CA service and ISE Messaging Services are running, regenerated the Root CA certs and the ISE Messaging Service certs. As previously mentioned ISE continues to function as normal and there are no noticeable issues.

Is there anything else i can do or check?

Thanks,

Massimo Baschieri · ‎07-29-2020

Unfortunately the instructionns I posted is all I had from tac.

It worked for me for a while, then the issue came back again, but since it's not breaking anything and in the mean time the tac case got closed I decided to give it up.

nikolaie · ‎09-02-2020

Apologies for the slow response. The warnings are still occurring in my environment but similar to you it doesn't seem to be causing any other issues. Thanks again for your assistance.