Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1679
Views
0
Helpful
5
Replies

ISE 2.1 unable to register secondary node

kotniks
Level 1
Level 1

‎10-13-2016 05:47 AM - edited ‎03-11-2019 12:08 AM

Scenario:

I have up and running ISE 2.1 appliance 3415. Its role is set to Primary. When I try to register other node as Secundary everything looks fine.

I get the status Pending, but then it fails with error.

I have reset-config to factory defaults on node I am trying to connect with no luck.

Any ideas?

2 people had this problem
Labels:
0 Helpful
5 Replies 5

AshleyLewis27
Level 1
Level 1

‎10-13-2016 06:13 AM

From just doing it myself make sure it resolves via DNS correctly and you have the certificate from the secondary in the primarys trusted certs with ISE authentication ticked.

What error are you getting?

0 Helpful

kotniks
Level 1
Level 1
In response to AshleyLewis27

‎10-13-2016 06:18 AM

DNS resloves correcly, certificates are trusted on both nodes and used for Infrastructure.

I have done this several time without problems up until now.

If DNS or certs are not ok, ISE stops you from even starting the sync.

In my case I have status in progress and then than error code with registraton or sync failed. Deregister node and register it again.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to kotniks

‎10-14-2016 03:40 PM

Remember that reverse DNS (PTR) records also must be in place for all ISE servers, if you only have forward records in DNS, it will fail once it tries to sync the nodes.

It's easy to test, do a "ping -a <ip of your ise server>", both should give you the name of your ise servers in DNS

Jan

0 Helpful

networknoob
Level 1
Level 1

‎01-10-2017 04:29 AM

Did you ever get this working? I am experiencing the same issue. I have three ISE nodes in the same node group and trying to add two more. Both of the new ise boxes will show up in the node list as in progress, and then fail after 3-4 hours. All of the boxes are running the same version, and ping -a works to all of the IP addresses. 

0 Helpful

kotniks
Level 1
Level 1
In response to networknoob

‎01-10-2017 11:02 PM

It was the issue with certificates. Do you use wildcard certificates by any chance?

Certificates were good for authetication, but then replication failed as there was a duplicate :) certificate on secundary node. Go to self signed certificates, join and after successful join. Activate wildcard certificates again (if your issue is the same of course).

0 Helpful
Customers Also Viewed These Support Documents