cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3072
Views
0
Helpful
5
Replies

IP name Servers

ziggyzwy
Level 1
Level 1

We recently had an issue where our primary ip name server's dns stopped responding. However the ISE node did not fail over to the secondary name servers and broke all users in the child domain that was no long resolving. Is there a way to help ISE fail over to secondary name servers for DNS?

We waited for our server team to address the issue and then everything started working.

Thanks!

1 Accepted Solution

Accepted Solutions

ChrisMurray
Cisco Employee
Cisco Employee

Hi Chris

The OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary.  So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the secondary.

Chris

View solution in original post

5 Replies 5

howon
Cisco Employee
Cisco Employee

ISE should have failed over if there were no DNS response. What version of ISE did you see the behavior? Also, was the primary DNS server truly down as in not responding to DNS request, or is it possible the DNS server was still responding, but without proper response?

According to our Systems guys the dns zone file was not set up correctly on the primary dns name server for the node.

I was able to traceroute from the node to the domain controller and ping the domain controller but the dns was failing for the child.domain.com.

This was the message that I received from the primary name server

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

The secondary and tertiary dns name servers were set up correctly and provided the correct ip address for the child.domain.com.

In the Active Directory Diagnostic Tool it was unable to locate the domain controller for the child domain in question and all tests failed. Once our system team updated the primary dns server for the node everything started working again.

Very weird behavior indeed.

ISE 2.0.306 patch 3

There is a difference between the DNS server was misconfigured and the DNS server was down. If the server was up but misconfigured, it is very likely the secondary server would not be used.

George

ChrisMurray
Cisco Employee
Cisco Employee

Hi Chris

The OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary.  So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the secondary.

Chris

Hi Chris,

Thank you, that does make sense of how the fail-over works.

Chris