Solved: Re: Cisco ISE 2.7 Queue Link Error

saxenanitesh8522 · ‎01-17-2021

Dear All,

I wanted to know if some1 seen this error as i am not getting this information any place.

Queue Link Error: Message=From ISE1 To ISE2; Cause={tls_alert;"handshake Failure"}

Any help to get this fixed would be great help.

Damien Miller · ‎01-17-2021

You can this to fix it yourself, and if that doesn't work, then I would suggest TAC.

First regenerate the root CA cert for the deployment
Then regenerate the ISE messaging cert for the deployment (selecting all nodes)

Do this from here

View solution in original post

saxenanitesh8522 · ‎01-17-2021

Before Installing Ca
Queue Link Error: Message=From ISE1 To ISE2; Cause={tls_alert;"unknown Ca"}
Post Installating CA using Multi-Use
Queue Link Error: Message=From ISE1 To ISE2; Cause={tls_alert;"handshake Failure"}

As soon as we installed External CA using Multi-Use i stared to get this error.

Damien Miller · ‎01-17-2021

You can this to fix it yourself, and if that doesn't work, then I would suggest TAC.

First regenerate the root CA cert for the deployment
Then regenerate the ISE messaging cert for the deployment (selecting all nodes)

Do this from here

saxenanitesh8522 · ‎01-17-2021

there is no option for self signed and i have node which integrated with DNAC should i remove all those? or re-generate will effect integration between it?

1. Remove my DNA integration first?

2. So i have a 2xNodes which are there so should i re-generate for both Node using generate CSR and then do this?

Please suggest

saxenanitesh8522 · ‎01-31-2021

Hi guys,

Just to update you i was able to fix the issue and it also had a underlying issue of the Root CA and pxgrid integration as well.

So Please find this information for future use as well:-

1. regenerated the ise messaging certificate --> fixed the queue link error and also i was not able to see my root ca in one of my nodes. before when i was trying to check the certificates it was getting error. post doing that it fixed that certificate pulling

2. regenerated the ise root ca certificate as well --> so far fixing this queue link error regnerated the internal CA certificate which fixed everythig. So ISE got sorted out but now issue was pxgrid certificate was changed so i had to fix the DNA and ISE pxgrid as wel.

3. logged in to DNA --> click on edit and just put your password, DNA will re-integrate itself and issue a new certificate.

4. i learned this also post check the Network setting were giving error post this change so its better to go and re put all the ISE servers and provision or resync your devices to remove that error.

So now all is good.

Thanks for all the help from tac and support forums.

Thanks,

samuel.heinrich · ‎09-27-2022

Thank you for that quick and easy tutorial. I was able to fix the QL-Link errors of a couple if ISE clusters in the past by regenerating the root / messaging certs.

today i encountered an ISE cluster where the option to regenerate those certs is missing:

is that the case, where i have to engage with TAC or are i'm missing something here?

EDIT: I found the answer.

The internal ISE CA Feature was disabled, thus the options to regenerate ISE Root CAs were missing.

After I enabled the CA Feature, the options showed up. Enabling the feature was painless, no app server restart required.