Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9968
Views
20
Helpful
4
Replies

Getting Error while registering ISE Node

Go to solution
sachpednekar
Beginner
Beginner

‎10-30-2012 08:08 AM - edited ‎03-10-2019 07:44 PM

Hi All,

I am getting below error.

Communication failure with the host 162.12.95.167. Please check the information for the target machine, or if the target machine is accessible and try again.                

I am Able to ping as well from primary node

Output of ping:

PING 162.12.95.167 (162.12.95.167) 56(84) bytes of data.

64 bytes from 162.12.95.167: icmp_seq=1 ttl=58 time=1.02 ms

64 bytes from 162.12.95.167: icmp_seq=2 ttl=58 time=1.05 ms

64 bytes from 162.12.95.167: icmp_seq=3 ttl=58 time=1.05 ms

64 bytes from 162.12.95.167: icmp_seq=4 ttl=58 time=0.955 ms

64 bytes from 162.12.95.167: icmp_seq=5 ttl=58 time=1.02 ms

--- 162.12.95.167 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4000ms

rtt min/avg/max/mdev = 0.955/1.019/1.051/0.053 ms

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-30-2012 06:16 PM

Hello Sachin-

Couple of questions:

1. Is there a firewall between the two nodes that you are trying to cluster? If yes, then have you confirmed that all of the necessary ports and protocols are opened between them?

2. What version of ISE are you using

3. Can you confirm that both devices are added in DNS and that both devices can ping each other via their FQDNs

On a side note here are the prerequisites for clustering nodes:

• The fully qualified domain name (FQDN) of the standalone node that you are going to register, for

example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.

Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes

that are part of your distributed deployment in the DNS server.

• The primary Administration ISE node and the standalone node that you are about to register as a

secondary node should be running the same version of Cisco ISE.

• You must configure the Cisco ISE Admin password at the time you install the Cisco ISE. The

previous Cisco ISE Admin default login credentials (admin/cisco) are no longer valid.

• Use the username/password that was created during the initial Setup or the current password, if it

was changed later.

• The DB passwords of the primary and secondary nodes should be the same. If these passwords are

set to be different during node installation, you can modify them using the following commands:

– application reset-passwd ise internal-database-admin

– application reset-passwd ise internal-database-user

• You can alternatively create an administrator account on the node that is to be registered and use

those credentials for registering that node. Every ISE administrator account is assigned one or more

administrative roles. To register and configure a secondary node, you must have either the Super

Admin or System Admin role assigned. See Cisco ISE Admin Group Roles and Responsibilities for

more information on the various administrative roles and the privileges associated with each of

them.

• If you plan to register a secondary Administration ISE node for high availability, we recommend

that you register the secondary Administration ISE node with the primary first before you register

other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart

the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.

• If you plan to register multiple Policy Service ISE nodes running Session services and you require

mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group.

You must create the node group first before you register the nodes because you must select the node

group to be used on the registration page.

“Creating, Editing, and Deleting Node Groups”

section on page 9-21 for more information.

• Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate

Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the

standalone node (that you are going to register as the secondary node).

Thank you for rating!

View solution in original post

4 Replies 4

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-30-2012 06:16 PM

Hello Sachin-

Couple of questions:

1. Is there a firewall between the two nodes that you are trying to cluster? If yes, then have you confirmed that all of the necessary ports and protocols are opened between them?

2. What version of ISE are you using

3. Can you confirm that both devices are added in DNS and that both devices can ping each other via their FQDNs

On a side note here are the prerequisites for clustering nodes:

• The fully qualified domain name (FQDN) of the standalone node that you are going to register, for

example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.

Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes

that are part of your distributed deployment in the DNS server.

• The primary Administration ISE node and the standalone node that you are about to register as a

secondary node should be running the same version of Cisco ISE.

• You must configure the Cisco ISE Admin password at the time you install the Cisco ISE. The

previous Cisco ISE Admin default login credentials (admin/cisco) are no longer valid.

• Use the username/password that was created during the initial Setup or the current password, if it

was changed later.

• The DB passwords of the primary and secondary nodes should be the same. If these passwords are

set to be different during node installation, you can modify them using the following commands:

– application reset-passwd ise internal-database-admin

– application reset-passwd ise internal-database-user

• You can alternatively create an administrator account on the node that is to be registered and use

those credentials for registering that node. Every ISE administrator account is assigned one or more

administrative roles. To register and configure a secondary node, you must have either the Super

Admin or System Admin role assigned. See Cisco ISE Admin Group Roles and Responsibilities for

more information on the various administrative roles and the privileges associated with each of

them.

• If you plan to register a secondary Administration ISE node for high availability, we recommend

that you register the secondary Administration ISE node with the primary first before you register

other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart

the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.

• If you plan to register multiple Policy Service ISE nodes running Session services and you require

mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group.

You must create the node group first before you register the nodes because you must select the node

group to be used on the registration page.

“Creating, Editing, and Deleting Node Groups”

section on page 9-21 for more information.

• Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate

Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the

standalone node (that you are going to register as the secondary node).

Thank you for rating!

Go to solution
sachpednekar
Beginner
Beginner
In response to nspasov

‎10-31-2012 05:45 AM

Hi can I get port numbers to open in between primary , secondary and policy nodes?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to nspasov

‎10-31-2012 07:47 PM

There are actually a lot of ports used by ISE and they would depend on the actual services that you run on the personas. Here is a link that defines the ports used:

http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_app_e-ports.pdf

However, I would recommend that you basically open your firewall for complete communication between the the nodes as sometimes ports change. For example, client provisioning port was changed with the latest version of ISE.

Thank you for rating!

Go to solution
PeteJo56949
Beginner
Beginner
In response to nspasov

‎05-19-2020 12:50 PM

Worked after installing the patches to match versions!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents