cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4828
Views
5
Helpful
7
Replies

Cisco ISE 2.6 Patch 7 "Queue Link Error; Cause = Timeout"

nikolaie
Level 1
Level 1

Hi Community, 

We have an ISE deployment of two physical nodes (Primary, Secondary), ever since we patched the environment from 3 to 7 we are now getting "Queue Link Error: Message=From NODE1 To NODE2; Cause=Timeout".  There are no firewalls or network connectivity issues between the nodes, their status is OK under Deployment, and all other features are working as expected.

 

I've tried restarting the nodes- no luck.

I've tried running a Syncup - no luck.

 

Your assistance would be appreciated. Thanks.

1 Accepted Solution

Accepted Solutions

Unfortunately the instructionns I posted is all I had from tac.

It worked for me for a while, then the issue came back again, but since it's not breaking anything and in the mean time the tac case got closed I decided to give it up.

View solution in original post

7 Replies 7

marce1000
VIP
VIP

 

 - Issue show application status ise , make sure all services are running.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Thank you for the quick response.  I have confirmed that ISE Process on both nodes are running as expected.  There are disabled processes but that because we are not using those features, i.e, CA Service, PassiveID service, etc.  The services that were running prior to Patch 7 are the same services running now.

Check if the TCP port 8671 is blocked between the nodes. If that is also not the case then enable debug logs for admin-ca, admin-infra, ca-service, infrastructure components, wait for the alarm to reoccur and check prrt-server.log, collector.log , ise-messaging.log and ise-psc.log for the same timestamp.

It's an issue related to certificates, from 2.6 patch 4 (I think) ise messaging service started to make use of certificates.

Below the instructions I had from tac in order to solve the issue:

 

kindly navigate to Administration => System => Certificates => Certificate Management => Certificate Signing Request (CSR).

 

  *   Generate CSR, then kindly choose ISE Root CA as the Usage, and then Replace ISE Root CA Certificate Chain.

 

 

  *   Once the ISE Root CA is done, please regenerate ISE Messaging Service Certificate for all the nodes.

 

You have to keep the internal CA enabled as it is responsible for the communication between the ISE nodes

Thank you for the provided instructions, unfortunately it has not resolved the issue, the error is still appearing.  I confirmed the Internal CA service and ISE Messaging Services are running, regenerated the Root CA certs and the ISE Messaging Service certs.  As previously mentioned ISE continues to function as normal and there are no noticeable issues.

 

Is there anything else i can do or check?

 

Thanks,

Unfortunately the instructionns I posted is all I had from tac.

It worked for me for a while, then the issue came back again, but since it's not breaking anything and in the mean time the tac case got closed I decided to give it up.

Apologies for the slow response. The warnings are still occurring in my environment but similar to you it doesn't seem to be causing any other issues. Thanks again for your assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: