cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5420
Views
15
Helpful
6
Replies
tkoli
Beginner

ise 2.3 unable to register ise node

Hi,
     when i tried to register ise standalone to primary ise node i'm getting following error, i have exchanged default self signed certificate on both the ise nodes. can some one help me to solve this error please.
psn.PNG
error:
Unable to authenticate ISE ise2.admin.com. Please check certificate configuration.
Make sure from 'Primary Admin node', system certificate chain of registering node is present in 'Trusted certificates' and is enabled with 'Trust for authentication within ISE' option selected
 
1 ACCEPTED SOLUTION

Accepted Solutions
AlexPi
Beginner

On your primary node, go to Administration – Certificates. Then from the left hand side menu, under Certificate Management, go to Trusted Certificates. There you will see all your Trusted certificates and some of them under Trusted For (3rd column) will state Cisco Services, I would try to export those, then import them to secondary node try registering the secondary to your Deployment again.

 

Some advice, as I did the upgrade to 2.3.0.298 about a month ago myself, that might not be relevant to your issue, but can cause you many more headaches!

 

  1. Ensure that you have both forward and reverse lookup zones on your DNS, or else ISE Indexing Engine will not start without reverse lookup zones for the ISE servers in the DNS, which in turn will cause issues with the Application Server service
  2. If you are on VMware, do not use any snapshots or snapshot based backups, because 2.3 as previously 1.4, will be very unstable, random services in ISE will not start and the VM will eventually hang and it will need “hardware” reboot

 

Both of the above happened to me and both were confirmed with Cisco TAC.

 

Hope that was helpful

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

View solution in original post

6 REPLIES 6
Rob Ingram
VIP Mentor

Hi,
Just to confirm, you exported the "Admin" certificate from ISE2 and imported this certificate into the Trusted Certificates store on ISE1? Did you select the tick boxes to trust authentication?

Hi,

 Thanks for your reply, Problem is solved, it was a DNS forward loolup issue and i fixed it, thank you once again for helping me in troubleshooting

 

 

 

Hello , 

Can you tell me what was the DNS problem and what did you do to fix it?

 

Thank you!

AlexPi
Beginner

On your primary node, go to Administration – Certificates. Then from the left hand side menu, under Certificate Management, go to Trusted Certificates. There you will see all your Trusted certificates and some of them under Trusted For (3rd column) will state Cisco Services, I would try to export those, then import them to secondary node try registering the secondary to your Deployment again.

 

Some advice, as I did the upgrade to 2.3.0.298 about a month ago myself, that might not be relevant to your issue, but can cause you many more headaches!

 

  1. Ensure that you have both forward and reverse lookup zones on your DNS, or else ISE Indexing Engine will not start without reverse lookup zones for the ISE servers in the DNS, which in turn will cause issues with the Application Server service
  2. If you are on VMware, do not use any snapshots or snapshot based backups, because 2.3 as previously 1.4, will be very unstable, random services in ISE will not start and the VM will eventually hang and it will need “hardware” reboot

 

Both of the above happened to me and both were confirmed with Cisco TAC.

 

Hope that was helpful

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

View solution in original post

tkoli
Beginner

Answer:

     I came to know that For ise 2.3 or higher version no need to exchange certificates, while you are registering ise node it will ask you to accept the certificate, the mistake which i made was DNS forward lookup, ise host's should be added in dns Forward lookup.

and the problem is solved...

TTGP
Beginner

I am receiving this same error. But, I am able to ping between the PAN and PSN with both IP and FQDN. The certificate is in the trusted certificate with the option checked 'Trust for authentication within ISE'. There is a firewall in between with permit ip rules for the two ip addresses. I get the PAN I get the import certificates window. On my log viewer I can see the the PAN going out on 443 to the PSN and getting TCP Fins and the connection tears down. What am I missing?

Content for Community-Ad