cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3962
Views
5
Helpful
7
Replies
nikolaie
Beginner

Cisco ISE 2.6 Patch 7 "Queue Link Error; Cause = Timeout"

Hi Community, 

We have an ISE deployment of two physical nodes (Primary, Secondary), ever since we patched the environment from 3 to 7 we are now getting "Queue Link Error: Message=From NODE1 To NODE2; Cause=Timeout".  There are no firewalls or network connectivity issues between the nodes, their status is OK under Deployment, and all other features are working as expected.

 

I've tried restarting the nodes- no luck.

I've tried running a Syncup - no luck.

 

Your assistance would be appreciated. Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Unfortunately the instructionns I posted is all I had from tac.

It worked for me for a while, then the issue came back again, but since it's not breaking anything and in the mean time the tac case got closed I decided to give it up.

View solution in original post

7 REPLIES 7
marce1000
VIP Mentor

 

 - Issue show application status ise , make sure all services are running.

 M.

Thank you for the quick response.  I have confirmed that ISE Process on both nodes are running as expected.  There are disabled processes but that because we are not using those features, i.e, CA Service, PassiveID service, etc.  The services that were running prior to Patch 7 are the same services running now.

Check if the TCP port 8671 is blocked between the nodes. If that is also not the case then enable debug logs for admin-ca, admin-infra, ca-service, infrastructure components, wait for the alarm to reoccur and check prrt-server.log, collector.log , ise-messaging.log and ise-psc.log for the same timestamp.
Massimo Baschieri
Participant

It's an issue related to certificates, from 2.6 patch 4 (I think) ise messaging service started to make use of certificates.

Below the instructions I had from tac in order to solve the issue:

 

kindly navigate to Administration => System => Certificates => Certificate Management => Certificate Signing Request (CSR).

 

  *   Generate CSR, then kindly choose ISE Root CA as the Usage, and then Replace ISE Root CA Certificate Chain.

 

 

  *   Once the ISE Root CA is done, please regenerate ISE Messaging Service Certificate for all the nodes.

 

You have to keep the internal CA enabled as it is responsible for the communication between the ISE nodes

Thank you for the provided instructions, unfortunately it has not resolved the issue, the error is still appearing.  I confirmed the Internal CA service and ISE Messaging Services are running, regenerated the Root CA certs and the ISE Messaging Service certs.  As previously mentioned ISE continues to function as normal and there are no noticeable issues.

 

Is there anything else i can do or check?

 

Thanks,

Unfortunately the instructionns I posted is all I had from tac.

It worked for me for a while, then the issue came back again, but since it's not breaking anything and in the mean time the tac case got closed I decided to give it up.

Apologies for the slow response. The warnings are still occurring in my environment but similar to you it doesn't seem to be causing any other issues. Thanks again for your assistance.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube