Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
9
Replies

Error after Upgrade to 3.3 patch 3

saeedabdelhalimhamada
Level 1
Level 1

‎11-23-2024 11:39 PM

after Upgrade to 3.3 patch 3 no any live logs apper 

I have 2 node Primay and Sec

PRIM (PAN and MNT)

Sec(PAN and MNT)

output of ISE PR

saeedabdelhalimhamada_0-1732431322570.png

output of ISE SEC

 

saeedabdelhalimhamada_1-1732431338776.png

 

Labels:
0 Helpful
9 Replies 9

Arne Bier
VIP
VIP

‎11-24-2024 10:24 PM

Which one of those ISE nodes is the Monitoring Primary?  Have you tried making the other ISE node the Monitoring Primary?

Failing that, I would also check if the Queue Link Errors are appearing and then regenerate the ISE Root CA cert (under Cert Signing Request, drop down to locate "Root CA Cert")

If that doesn't work, then perhaps engage the TAC (if not already done) and if no luck, revert to the previous patch.

0 Helpful

saeedabdelhalimhamada
Level 1
Level 1
In response to Arne Bier

‎11-24-2024 10:38 PM

Monitoring Primary the one that has the error , i already open TAC but no any help 

0 Helpful

saeedabdelhalimhamada
Level 1
Level 1
In response to Arne Bier

‎11-25-2024 04:12 AM

cisco told my to re-iamge the node , so please i need some help 

1- first i need to ensure from that the sec node will work and handle all traffice , so i need to know how to ensure

2- sec i need the steps of  how re-iamge the node

0 Helpful

Arne Bier
VIP
VIP
In response to saeedabdelhalimhamada

‎11-25-2024 01:07 PM

All your RADIUS and TACACS+ clients (as listed in the ISE Network Devices) must point to BOTH of your ISE nodes. Each ISE node (in your case) is configured for Services, and therefore receives the same programming. With IOS-XE you can use the aaa group to list both ISE node IPs, and then also use the load balancing feature to ensure that both nodes get loaded quite evenly. 

Steps to re-image the node - it's been discussed many times and you can find videos and links with a simple web search. In essence, it goes like this:

  • If possible, export the Admin and EAP certs from the node you want to re-image (it saves time for the re-build)
  • de-register the node that you want to re-image. If the node you want to re-image is the Primary Admin, then, first promote the other node to Primary, wait for all the sync to finish, and then de-register to node you want to re-image.
  • Power off the VM of the node you want to re-image.
  • Build the ISE node from OVA or ISO and run setup wizard
  • Patch the new VM to the same patch release as Primary Admin node
  • Install the Trusted certs and Admin/EAP to the new ISE node
  • Register the new ISE node
  • Join to AD/LDAP etc.
0 Helpful

saeedabdelhalimhamada
Level 1
Level 1
In response to Arne Bier

‎11-25-2024 01:23 PM

all NAD have ISE aaa group and both IPs , i need to know what is the load balancing feature 

and in my case after de register only 1 node will work and i need to direct traffic to this node only  

0 Helpful

saeedabdelhalimhamada
Level 1
Level 1
In response to saeedabdelhalimhamada

‎11-25-2024 01:27 PM

in my case as i see all NAD have the 2 ISE nodes IPs , is there any other configure i need so if i de register the primary node the sec node will replace ?

0 Helpful

Arne Bier
VIP
VIP

‎11-25-2024 02:03 PM

De-registering a node from the ISE Deployment is just a separation process - it removes the node from the Primary Admin's database. But the config on the separated node stays the same - it goes into Standalone mode, but all the services will continue to work as normal, once the separation is completed, and the services have restarted,  So in your case, de-register the node, and then you can forcefully power it off.

RADIUS high availability is handled by the network devices - if they make a request to an ISE node that is not responding (powered off, rebooting etc.) then the network device will timeout, and perform retries and eventually give up and fail over to the other server(s) in the aaa group.

IOS RADIUS Load balancing is optional but highly recommended to ensure your PSNs are being used efficiently:

aaa group .....
  load-balance method least-outstanding

 You can monitor the results with the command

show aaa servers

 

0 Helpful

saeedabdelhalimhamada
Level 1
Level 1

‎11-25-2024 02:09 PM

so as i understand frist of all i need to permote the sec node as i primary ,then de-regisrt and power off the appliance , and now all NAD will try to go to the priamy cuz the IP of the primary node is the first ip in the aaa group and be cuz i powered off the appliance the NAD will fail over to the next ip of the AAA group

0 Helpful

Arne Bier
VIP
VIP
In response to saeedabdelhalimhamada

‎11-25-2024 03:10 PM

That's right. That's how all vendors handle RADIUS high availability. In most network devices you can also configure:

  • RADIUS dead timer (how long to consider the server 'dead' and not try again until this timer expires) - very useful to avoid those retries and timeouts which cause small delays to end-users as they connect/re-authenticate - e.g. 30min dead timers make sense, to allow an ISE node to be offline during patching and reboot.
  • a RADIUS probe to occasionally check if the RADIUS server is alive again and then allow the HA/load balancing to start working again

Those commands can be found in the IOS config guides and also the Cisco Wired Prescriptive Guide

0 Helpful
Customers Also Viewed These Support Documents