cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
380
Views
0
Helpful
2
Replies

Interface Bonding and New Certificates

ryans2
Cisco Employee
Cisco Employee

This past weekend I went through a maintenance in which interface bonding and new certificates were applied to an ISE 2.2 Patch 9 deployment.  The deployment consisted of 1 PAN, 1 MnT, and 2 PSN's and is being utilized as a AnyConnect VPN solution with ISE posturing.  We ran into a few issues and was wondering if anyone else may have seen this or anything similar and can shed some light and or input on the below events.

1. During the interface bonding configuration we created two interface bonds and ISE restarted services for both bonds however on one of them there were a few of the services that were stuck in a hung state and just showed "not running". This required a reload of the appliance itself to correct.

2. When applying new certificates on the ISE nodes and after services restarted the certificate that was to be used for posture seemed to not be one being used.  This resulted in a trust issue on the client side.  This also required a reload of the server to correct.

3. Once all nodes had interface bonding applied and new certificates one of the PSN's had lost its connection to both of the AD domains that it was originally setup for and had to be manually rejoined.

The last thing I'm curious about is I know ISE requires services to be restarted when interface bonding is configured as well as when new certificates applied for the admin GUI. Is it better when there are multiple changes being done to ISE and services are having to be restarted multiple times to just reload the appliance at the end to ensure everything is come online properly again?

I know I will probably need to open TAC cases on these for further analysis but I figured I would check here first in case anyone has come across these before and could save a little time in creating multiple cases.

Thank you in advance for any assistance that can be offered.

Thanks,

Ryan

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

I just recently built an ISE 2.4 deployment with SNS-3595 appliances and we bonded gig0 and gig1 together.  I have to admit that I didn't have any issues except that I was annoyed that it restarted services after I created the bond.  But I am getting used to long wait times with this product.  Nothing happens fast.  It was a reminder for the next project to scope more time with all this waiting around - especially for larger deployments.  Yes, so renewing Admin cert will cause the web server to restart.  I have to admin that it does strike me as weird that there is so much downtime.  I think Cisco just restart EVERYTHING to be on the safe side.  But does seem extreme.  

 

Losing AD happens from time to time and the reasons are unknown to me - e.g. after a patch is applied or upgrade.   i think after an upgrade it's expected to happen and it's even mentioned somewhere in the docs.  But my experience with upgrades is that the AD join was always fine.  Go figure.

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

I just recently built an ISE 2.4 deployment with SNS-3595 appliances and we bonded gig0 and gig1 together.  I have to admit that I didn't have any issues except that I was annoyed that it restarted services after I created the bond.  But I am getting used to long wait times with this product.  Nothing happens fast.  It was a reminder for the next project to scope more time with all this waiting around - especially for larger deployments.  Yes, so renewing Admin cert will cause the web server to restart.  I have to admin that it does strike me as weird that there is so much downtime.  I think Cisco just restart EVERYTHING to be on the safe side.  But does seem extreme.  

 

Losing AD happens from time to time and the reasons are unknown to me - e.g. after a patch is applied or upgrade.   i think after an upgrade it's expected to happen and it's even mentioned somewhere in the docs.  But my experience with upgrades is that the AD join was always fine.  Go figure.

Prior to ISE 2.4, at times an AD domain becomes not operational because domain controllers get blacklisted by some transient failures. ISE 2.4 introduces a score based priority list to management domain controllers so to address the issues seen earlier.

We addressed the loss of AD connections after upgrade in ISE 2.1 by CSCux04189.