cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
335
Views
0
Helpful
9
Replies

Error after Upgrade to 3.3 patch 3

after Upgrade to 3.3 patch 3 no any live logs apper 

I have 2 node Primay and Sec

PRIM (PAN and MNT)

Sec(PAN and MNT)

output of ISE PR

saeedabdelhalimhamada_0-1732431322570.png

output of ISE SEC

 

saeedabdelhalimhamada_1-1732431338776.png

 

9 Replies 9

Arne Bier
VIP
VIP

Which one of those ISE nodes is the Monitoring Primary?  Have you tried making the other ISE node the Monitoring Primary?

Failing that, I would also check if the Queue Link Errors are appearing and then regenerate the ISE Root CA cert (under Cert Signing Request, drop down to locate "Root CA Cert")

If that doesn't work, then perhaps engage the TAC (if not already done) and if no luck, revert to the previous patch.

Monitoring Primary the one that has the error , i already open TAC but no any help 

cisco told my to re-iamge the node , so please i need some help 

1- first i need to ensure from that the sec node will work and handle all traffice , so i need to know how to ensure

2- sec i need the steps of  how re-iamge the node

All your RADIUS and TACACS+ clients (as listed in the ISE Network Devices) must point to BOTH of your ISE nodes. Each ISE node (in your case) is configured for Services, and therefore receives the same programming. With IOS-XE you can use the aaa group to list both ISE node IPs, and then also use the load balancing feature to ensure that both nodes get loaded quite evenly. 

Steps to re-image the node - it's been discussed many times and you can find videos and links with a simple web search. In essence, it goes like this:

  • If possible, export the Admin and EAP certs from the node you want to re-image (it saves time for the re-build)
  • de-register the node that you want to re-image. If the node you want to re-image is the Primary Admin, then, first promote the other node to Primary, wait for all the sync to finish, and then de-register to node you want to re-image.
  • Power off the VM of the node you want to re-image.
  • Build the ISE node from OVA or ISO and run setup wizard
  • Patch the new VM to the same patch release as Primary Admin node
  • Install the Trusted certs and Admin/EAP to the new ISE node
  • Register the new ISE node
  • Join to AD/LDAP etc.

all NAD have ISE aaa group and both IPs , i need to know what is the load balancing feature 

and in my case after de register only 1 node will work and i need to direct traffic to this node only  

in my case as i see all NAD have the 2 ISE nodes IPs , is there any other configure i need so if i de register the primary node the sec node will replace ?

Arne Bier
VIP
VIP

De-registering a node from the ISE Deployment is just a separation process - it removes the node from the Primary Admin's database. But the config on the separated node stays the same - it goes into Standalone mode, but all the services will continue to work as normal, once the separation is completed, and the services have restarted,  So in your case, de-register the node, and then you can forcefully power it off.

RADIUS high availability is handled by the network devices - if they make a request to an ISE node that is not responding (powered off, rebooting etc.) then the network device will timeout, and perform retries and eventually give up and fail over to the other server(s) in the aaa group.

IOS RADIUS Load balancing is optional but highly recommended to ensure your PSNs are being used efficiently:

aaa group .....
  load-balance method least-outstanding

 You can monitor the results with the command

show aaa servers

 

so as i understand frist of all i need to permote the sec node as i primary ,then de-regisrt and power off the appliance , and now all NAD will try to go to the priamy cuz the IP of the primary node is the first ip in the aaa group and be cuz i powered off the appliance the NAD will fail over to the next ip of the AAA group

That's right. That's how all vendors handle RADIUS high availability. In most network devices you can also configure:

  • RADIUS dead timer (how long to consider the server 'dead' and not try again until this timer expires) - very useful to avoid those retries and timeouts which cause small delays to end-users as they connect/re-authenticate - e.g. 30min dead timers make sense, to allow an ISE node to be offline during patching and reboot.
  • a RADIUS probe to occasionally check if the RADIUS server is alive again and then allow the HA/load balancing to start working again

Those commands can be found in the IOS config guides and also the Cisco Wired Prescriptive Guide