- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 11:08 PM - edited 02-21-2020 10:55 AM
Make sure from 'Primary Admin node', system certificate chain of registering node is present in 'Trusted certificates' and is enabled with 'Trust for authentication within ISE' option selected
Solved! Go to Solution.
- Labels:
-
Other NAC
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2018 12:29 AM
On your primary node, go to Administration – Certificates. Then from the left hand side menu, under Certificate Management, go to Trusted Certificates. There you will see all your Trusted certificates and some of them under Trusted For (3rd column) will state Cisco Services, I would try to export those, then import them to secondary node try registering the secondary to your Deployment again.
Some advice, as I did the upgrade to 2.3.0.298 about a month ago myself, that might not be relevant to your issue, but can cause you many more headaches!
- Ensure that you have both forward and reverse lookup zones on your DNS, or else ISE Indexing Engine will not start without reverse lookup zones for the ISE servers in the DNS, which in turn will cause issues with the Application Server service
- If you are on VMware, do not use any snapshots or snapshot based backups, because 2.3 as previously 1.4, will be very unstable, random services in ISE will not start and the VM will eventually hang and it will need “hardware” reboot
Both of the above happened to me and both were confirmed with Cisco TAC.
Hope that was helpful
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2018 02:13 AM
Just to confirm, you exported the "Admin" certificate from ISE2 and imported this certificate into the Trusted Certificates store on ISE1? Did you select the tick boxes to trust authentication?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2018 02:50 AM
Hi,
Thanks for your reply, Problem is solved, it was a DNS forward loolup issue and i fixed it, thank you once again for helping me in troubleshooting
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2019 02:01 AM
Hello ,
Can you tell me what was the DNS problem and what did you do to fix it?
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2018 12:29 AM
On your primary node, go to Administration – Certificates. Then from the left hand side menu, under Certificate Management, go to Trusted Certificates. There you will see all your Trusted certificates and some of them under Trusted For (3rd column) will state Cisco Services, I would try to export those, then import them to secondary node try registering the secondary to your Deployment again.
Some advice, as I did the upgrade to 2.3.0.298 about a month ago myself, that might not be relevant to your issue, but can cause you many more headaches!
- Ensure that you have both forward and reverse lookup zones on your DNS, or else ISE Indexing Engine will not start without reverse lookup zones for the ISE servers in the DNS, which in turn will cause issues with the Application Server service
- If you are on VMware, do not use any snapshots or snapshot based backups, because 2.3 as previously 1.4, will be very unstable, random services in ISE will not start and the VM will eventually hang and it will need “hardware” reboot
Both of the above happened to me and both were confirmed with Cisco TAC.
Hope that was helpful
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2018 02:56 AM
Answer:
I came to know that For ise 2.3 or higher version no need to exchange certificates, while you are registering ise node it will ask you to accept the certificate, the mistake which i made was DNS forward lookup, ise host's should be added in dns Forward lookup.
and the problem is solved...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2019 08:17 AM
I am receiving this same error. But, I am able to ping between the PAN and PSN with both IP and FQDN. The certificate is in the trusted certificate with the option checked 'Trust for authentication within ISE'. There is a firewall in between with permit ip rules for the two ip addresses. I get the PAN I get the import certificates window. On my log viewer I can see the the PAN going out on 443 to the PSN and getting TCP Fins and the connection tears down. What am I missing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2024 07:49 AM
Hit this one on 3.2 and commenting for anyone's visibility.
Issue was due to 2 different things:
1. DNS resolution in both directions between PAN and new node wasn't working. New node DNS server configuration was pointed at incorrect server.
2. After DNS resolution was corrected, it was discovered the new server's subdomain configuration was slightly off(and due to that, as was the self-signed certificate).
PAN was looking for isenode.example.company.com when the new node was only configured as isenode.company.com.
Hope this helps!
