ISE 1.1.2 failover - Syncronization issue

Paulo Moreira Magalhaes · ‎09-27-2013

Hi everone,

Scenário:

I've deployed two Cisco ISE 1.1.2 nodes as follows:

Node 1 as Primrary Admin, Policy Server and Monitoring

Node 2 as Secondary Admin, Policy Server and Monitoring

All configured roles works as expected.

Problem:

Once I promote the Node 2 (Secondary node) to become the Primary the problem takes place as described bellow:

1- The Node 2 restarts the ISE Application and assumes the Primary Admin, Policy Server roles (but Monitoring role remains as Primary)

2- The Node 1 restarts the ISE Application too and Secondary Admin, Policy Server roles (but Monitoring role remains as Secondaary)

After the ISE Application becomes up in both nodes the syncronization status appear as NODE NOT REACHABLE.

Does anyone faced this issue before, or have any idea about it?

Thanks in advance.

bikespace · ‎09-30-2013

I may have misunderstood your problem, but.... for your first problem, are you expecting the Monitor node status to change when you promote node 2? You're only promoting the admin role, the monitor role will remain unchanged unless you choose to change which is primary monitor node too (totally separate).

2nd problem. Sounds like certificate maybe? What are you using in the way of certs for the nodes to auth each other? Did you swap the self signed certs for instance between nodes? Changed certs recently and not delete old ones? I've seen old certs which seem to have been deleted hang around until a full reload.

Paulo Moreira Magalhaes · ‎10-03-2013

Hello guys,

I've got the problem solved.

Both nodes are in diferent location and they are behind a firewall in each location.

The problem was a wrong NAT statement on firewall in which the node 2 resides behind to. This NAT was preventing Node 2 to iniciate the database syncronization.

Thank you so much!