Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2975
Views
15
Helpful
9
Replies

ISE 2.1.0.474 Patch 3 - No Longer can Sync With Secondary Node

James Davies
Level 1
Level 1

‎04-04-2017 08:05 AM - edited ‎03-11-2019 12:36 AM

Hi,

I have just a primary and secondary ISE nodes. (ISE 2.1.0.474)

I put patch 3 on this morning, and now in Deployment Screen, the secondary node has orange triangle saying it needs to sync up, so I do that, but its still hanging on "Registration or Sync in Progress"

I have rebooted both Nodes, but it does the same thing. Both nodes can ping each other via DNS and IP address.. is this a another bug?

Thanks

Labels:
0 Helpful
9 Replies 9

Rahul Govindan
VIP Alumni
VIP Alumni

‎04-04-2017 08:17 AM

The patches install sequentially - first primary and then secondary. You might have already checked this, but any chance that the Application server service is still not running on the secondary? On the CLI "show application status ise" should show that status.

0 Helpful

James Davies
Level 1
Level 1
In response to Rahul Govindan

‎04-04-2017 11:05 AM

From the Primary, it says the patch has been installed on both, and I can see the version in Server details.

I didnt think it runs on the secondary?, if I do a show application status ise, it says no applications are running on the secondary.

do you think an "application start ISE" is needed then?

0 Helpful

James Davies
Level 1
Level 1
In response to Rahul Govindan

‎04-04-2017 11:44 AM

Secondary Node:

ISE PROCESS NAME                       STATE            PROCESS ID
--------------------------------------------------------------------
Database Listener                      running          4559
Database Server                        running          96 PROCESSES
Application Server                     running          17259
Profiler Database                      running          14893
ISE Indexing Engine                    running          18414
AD Connector                           running          10342
M&T Session Database                   running          13823
M&T Log Collector                      running          17572
M&T Log Processor                      running          17438
Certificate Authority Service          running          3113
EST Service                            running          9767
SXP Engine Service                     disabled
TC-NAC Docker Service                  disabled
TC-NAC MongoDB Container               disabled
TC-NAC RabbitMQ Container              disabled
TC-NAC Core Engine Container           disabled
VA Database                            disabled
VA Service                             disabled
pxGrid Infrastructure Service          disabled
pxGrid Publisher Subscriber Service    disabled
pxGrid Connection Manager              disabled
pxGrid Controller                      disabled
PassiveID Service                      disabled
DHCP Server (dhcpd)                    disabled
DNS Server (named)                     disabled

Still hanging on "Sync in Progress"

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to James Davies

‎04-05-2017 04:42 AM

Looks like the Application server is running correctly on the secondary. Last thing I would check is certificates on both nodes to see if trust can be maintained. From all this, it looks more like a bug. You may want to open a TAC case for them to investigate this further.

0 Helpful

James Davies
Level 1
Level 1
In response to Rahul Govindan

‎04-05-2017 06:55 AM

Well, I fixed it.

Dont know if this was the cause or not, but I has a static DNS entry on the secondary node, as I didnt have DNS working at the time, removed this and restarted ise application,

they are now in Sync (I also rolled back Patch 3)

Thanks for looking at it with me.

junbo.zeng1
Level 1
Level 1
In response to James Davies

‎04-11-2017 09:30 PM

I am having the same issue. After I started the syncup process.

The status of all secondary nodes remained "in progress" for a very long time. Eventually, they will turn to "Not in Sync".

For the ISE nodes that are not online, they used to show as "Disconnected" with a red cross. Now they just simply show as "Not in Sync".

0 Helpful

James Davies
Level 1
Level 1
In response to junbo.zeng1

‎04-12-2017 01:22 AM

I rolled back the patch, it still wouldnt Sync, For me , it was a static DNS entry on the secondary I believe, I managed to get them into Sync and upgraded to 2.2

junbo.zeng1
Level 1
Level 1
In response to James Davies

‎04-18-2017 03:48 PM

Do you mean the ip name-server entry on your ISE node?

At the moment, all my ISE nodes have the same name server settings as following.

ip name-server DNS1 (IP address) DNS2 (IP address)

Currently, DNS1 is offline and DNS2 is online.

0 Helpful

RSundstrom
Level 1
Level 1
In response to junbo.zeng1

‎04-13-2017 01:55 PM

I had the same thing happen in my ISE 1.4 (two-node deployment). My secondary ISE node stayed in "Not in Sync". I opened a case with Cisco and this is what I had to do to cure it.

1. Make sure both ISE servers are handling policy service. Do not proceed until you are sure both ISE servers are providing policy service. If they are not both handling policy you will need to open a maintenance window with your organization.

2. From the CLI.

a. stop the ISE application. "app stop ise."

b. reload the application. "reload." My primary ISE server required 35 minutes to reload. Yours may take longer or shorter.

3. When the Primary has come back up make sure it is handling policy services. When you have verified it is then...

a. Go to Administration > Deployment.

b. Deregister the secondary ISE server. Mine took about 5 minutes to complete.

c. Then Register the secondary ISE node again. You will need the FQDN of the secondary ISE server and login credentials for it. The Register process took about 40 minutes for my deployment. You can monitor the process from the CLI of the secondary node with the command "show app status ISE".

d. Check your "External Identity Sources" after this process. I had to re-connect my secondary node to Active Directory.

Again, my deployment is ISE 1.4, but my problem was exactly what you are describing.

Customers Also Viewed These Support Documents