03-30-2022 10:47 AM - edited 03-30-2022 10:48 AM
Hello,
We have the following distributed ISE deployment:
Site A: 2x ADM, 2x MNT, 2x PSN
Site B: 2x PSN
Site C: 2x PSN
We opened the ports in the firewalls between Site A and Site B and between Site A and Site C so the PSN can reach the ADM and MNT nodes.
We have some errors in the ISE stating communication failure between the PSN of Site B and PSN of Site C.
Why do the PSN of Site B need to communicate with the PSN of Site C ?
03-30-2022 11:28 AM - edited 03-30-2022 11:31 AM
Did you create a single "node group", with all PSNs assigned to it?
Such a scenario would explain the behaviour you see: PSNs share their active sessions with all members of the "node group"
If you have a single "node group", please consider creating a "node group" per site and only assign the PSNs for that site.
Please keep in mind that RADIUS session are shared within a "node group", PSNs of site A will have no knowledge about active sessions within site B.
Cheers,
Hans
03-30-2022 12:03 PM - edited 03-30-2022 12:04 PM
I did create a node group for each site when I added the nodes, so each node group contains only the 2 PSN of its site.
03-30-2022 11:55 AM
Hi @hervetram
You can use this document as a guide of the ports and compare with your logs on firewall to check what traffic is the PSNs trying to establish: Cisco ISE Ports Reference
As @HansK_NL said, probably you have just one cluster configured and all PSN personas are trying to sync sessions.
Regards,
Jezer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide