Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

784
Views
35
Helpful
6
Replies
Alex Pfeil
Rising star
Rising star
‎10-17-2019 09:36 AM
‎10-17-2019 09:36 AM

Identity Services Engine Unusable Domain Caused By Windows Domain Controller Reboot

We have had an issue a few times now  so it is becoming an emergency. We had a domain controller reboot cause an issue with the policy node saying that a domain is unusable. We are running ISE 2.4 patch 8. 

Here are some key points:

  1. Domain Controller has updates applied and reboots, comes online within 30 seconds.
  2. Identity Services Engine stops authenticating clients with the following error: 24367  Skipping unusable domain - "domain name", Server not found in Kerberos database. This causes issues for hundreds of users.
  3. For one outage, we rebooted an ISE Policy node and it re-connected to a different domain controller and started working.
  4. For the second outage, authentications started working after approximately 2 hours with no Policy node reboot.

Any information would be appreciated.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Alex Pfeil
Rising star
Rising star
In response to Jason Kunst
‎10-21-2019 07:36 AM
‎10-21-2019 07:36 AM

I am working with TAC and we already had the debugs enabled on the ISE policy node. We were able to see some good logs. I am waiting to hear back if we have the exact cause. Here are some example logs in case somebody runs into a similar issue in the future.

 

TimeStamp VERBOSE,Transaction Log Number Hidden,AdIdentitySearcher::performSearch: domain=[Some.Domain], base=[dc=Some,dc=Domain,dc=com], filter=[(&(|(objectCategory=person)(objectCategory=computer))(sAMAccountName=Bob))],lsass/server/auth-providers/ad-open-provider/ad_identity_searcher.cpp:324

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LsaDmLdapDirectorySearch: domain=Some.Domain, dn='dc=Some,dc=Domain,dc=com', scope=2, query=(&(|(objectCategory=person)(objectCategory=computer))(sAMAccountName=Bob)),lsass/server/auth-providers/ad-open-provider/lsadm.c:4393

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LsaDmLdapDirectorySearch: attempt=1, error=40286(LW_ERROR_LDAP_SERVER_DOWN),lsass/server/auth-providers/ad-open-provider/lsadm.c:4420

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LocatorLookup(0x7f5091806e90): dc=Domain-Controller1, x.x.x.x-IPA,netlogon/service_locator/service_locator.c:318

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LocatorLookup(0x7f509176c190): dc=Domain-Controller2, x.x.x.x-IPB,netlogon/service_locator/service_locator.c:318

 

TimeStamp ERROR  ,Transaction Log Number Hidden,LsaDmConnectDomain: domain Some.Domain is offline,lsass/server/auth-providers/ad-open-provider/lsadm.c:5011

View solution in original post

0 Helpful
Alex Pfeil
Rising star
Rising star
In response to Alex Pfeil
‎10-23-2019 07:39 AM
‎10-23-2019 07:39 AM

We ended up finding that it was a bug. It can happen when multiple domain controllers are rebooted at the same time.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp73385

We verified that this error was being thrown: LW_ERROR_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.

The issue is resolved in ISE 2.4 patch 10.

View solution in original post

6 REPLIES 6
Jason Kunst
Cisco Employee
Cisco Employee
‎10-17-2019 11:02 PM
‎10-17-2019 11:02 PM

Please see this post for general guidance on using community,
https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful
Alex Pfeil
Rising star
Rising star
In response to Jason Kunst
‎10-21-2019 07:33 AM
‎10-21-2019 07:33 AM

I have a TAC case open. I know that this is not Cisco TAC. I always share issues that I am having here as a way to let other people know about the issue and see if they have had it before. I do not see anything wrong with that. This was also informational and you definitely did not have the right solution.

0 Helpful
Jason Kunst
Cisco Employee
Cisco Employee
In response to Alex Pfeil
‎10-21-2019 10:39 PM
‎10-21-2019 10:39 PM

Alex thank you, it would be good to state what your intent is so we can close out the solution. If its just information sharing then please post as a document or blog and not something needing an actual solution. We are trying to manage and make sure everything is covered.
0 Helpful
Alex Pfeil
Rising star
Rising star
In response to Jason Kunst
‎10-21-2019 07:36 AM
‎10-21-2019 07:36 AM

I am working with TAC and we already had the debugs enabled on the ISE policy node. We were able to see some good logs. I am waiting to hear back if we have the exact cause. Here are some example logs in case somebody runs into a similar issue in the future.

 

TimeStamp VERBOSE,Transaction Log Number Hidden,AdIdentitySearcher::performSearch: domain=[Some.Domain], base=[dc=Some,dc=Domain,dc=com], filter=[(&(|(objectCategory=person)(objectCategory=computer))(sAMAccountName=Bob))],lsass/server/auth-providers/ad-open-provider/ad_identity_searcher.cpp:324

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LsaDmLdapDirectorySearch: domain=Some.Domain, dn='dc=Some,dc=Domain,dc=com', scope=2, query=(&(|(objectCategory=person)(objectCategory=computer))(sAMAccountName=Bob)),lsass/server/auth-providers/ad-open-provider/lsadm.c:4393

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LsaDmLdapDirectorySearch: attempt=1, error=40286(LW_ERROR_LDAP_SERVER_DOWN),lsass/server/auth-providers/ad-open-provider/lsadm.c:4420

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LocatorLookup(0x7f5091806e90): dc=Domain-Controller1, x.x.x.x-IPA,netlogon/service_locator/service_locator.c:318

 

TimeStamp VERBOSE,Transaction Log Number Hidden,LocatorLookup(0x7f509176c190): dc=Domain-Controller2, x.x.x.x-IPB,netlogon/service_locator/service_locator.c:318

 

TimeStamp ERROR  ,Transaction Log Number Hidden,LsaDmConnectDomain: domain Some.Domain is offline,lsass/server/auth-providers/ad-open-provider/lsadm.c:5011

View solution in original post

0 Helpful
Alex Pfeil
Rising star
Rising star
In response to Alex Pfeil
‎10-23-2019 07:39 AM
‎10-23-2019 07:39 AM

We ended up finding that it was a bug. It can happen when multiple domain controllers are rebooted at the same time.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp73385

We verified that this error was being thrown: LW_ERROR_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.

The issue is resolved in ISE 2.4 patch 10.

View solution in original post

Alex Pfeil
Rising star
Rising star
In response to Jason Kunst
‎10-23-2019 07:43 AM
‎10-23-2019 07:43 AM

Jason,

I have found multiple discussions in the forums that are bugs that have helped me in the past. The purpose of my post was to get as many eyes on my problem as I possibly could. Sometimes, a person will reply immediately with the fix. Other times, it could be that TAC will be the final solution. And now, this thread will help somebody in the future.

 

Latest Contents
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
1
5
1
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
1
10
1
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
ISE Data limiting best practices
Created by Jonathan Casillas on 03-18-2021 04:34 PM
0
5
0
5
Intro This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE. Symptoms Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm... view more
Content for Community-Ad