Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
13132
Views
20
Helpful
7
Replies

ise 2.3 unable to register ise node

Go to solution
tkoli
Level 1
Level 1

‎05-09-2018 11:08 PM - edited ‎02-21-2020 10:55 AM

Hi,
     when i tried to register ise standalone to primary ise node i'm getting following error, i have exchanged default self signed certificate on both the ise nodes. can some one help me to solve this error please.
psn.PNG
error:
Unable to authenticate ISE ise2.admin.com. Please check certificate configuration.
Make sure from 'Primary Admin node', system certificate chain of registering node is present in 'Trusted certificates' and is enabled with 'Trust for authentication within ISE' option selected
 
6 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
AlexPi
Level 1
Level 1

‎05-11-2018 12:29 AM

On your primary node, go to Administration – Certificates. Then from the left hand side menu, under Certificate Management, go to Trusted Certificates. There you will see all your Trusted certificates and some of them under Trusted For (3rd column) will state Cisco Services, I would try to export those, then import them to secondary node try registering the secondary to your Deployment again.

 

Some advice, as I did the upgrade to 2.3.0.298 about a month ago myself, that might not be relevant to your issue, but can cause you many more headaches!

 

  1. Ensure that you have both forward and reverse lookup zones on your DNS, or else ISE Indexing Engine will not start without reverse lookup zones for the ISE servers in the DNS, which in turn will cause issues with the Application Server service
  2. If you are on VMware, do not use any snapshots or snapshot based backups, because 2.3 as previously 1.4, will be very unstable, random services in ISE will not start and the VM will eventually hang and it will need “hardware” reboot

 

Both of the above happened to me and both were confirmed with Cisco TAC.

 

Hope that was helpful

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

View solution in original post

7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎05-10-2018 02:13 AM

Hi,
Just to confirm, you exported the "Admin" certificate from ISE2 and imported this certificate into the Trusted Certificates store on ISE1? Did you select the tick boxes to trust authentication?
0 Helpful

Go to solution
tkoli
Level 1
Level 1
In response to Rob Ingram

‎05-11-2018 02:50 AM

Hi,

 Thanks for your reply, Problem is solved, it was a DNS forward loolup issue and i fixed it, thank you once again for helping me in troubleshooting

 

 

 

Go to solution
Etlicher
Level 1
Level 1
In response to tkoli

‎02-27-2019 02:01 AM

Hello , 

Can you tell me what was the DNS problem and what did you do to fix it?

 

Thank you!

0 Helpful

Go to solution
AlexPi
Level 1
Level 1

‎05-11-2018 12:29 AM

On your primary node, go to Administration – Certificates. Then from the left hand side menu, under Certificate Management, go to Trusted Certificates. There you will see all your Trusted certificates and some of them under Trusted For (3rd column) will state Cisco Services, I would try to export those, then import them to secondary node try registering the secondary to your Deployment again.

 

Some advice, as I did the upgrade to 2.3.0.298 about a month ago myself, that might not be relevant to your issue, but can cause you many more headaches!

 

  1. Ensure that you have both forward and reverse lookup zones on your DNS, or else ISE Indexing Engine will not start without reverse lookup zones for the ISE servers in the DNS, which in turn will cause issues with the Application Server service
  2. If you are on VMware, do not use any snapshots or snapshot based backups, because 2.3 as previously 1.4, will be very unstable, random services in ISE will not start and the VM will eventually hang and it will need “hardware” reboot

 

Both of the above happened to me and both were confirmed with Cisco TAC.

 

Hope that was helpful

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Go to solution
tkoli
Level 1
Level 1

‎05-11-2018 02:56 AM

Answer:

     I came to know that For ise 2.3 or higher version no need to exchange certificates, while you are registering ise node it will ask you to accept the certificate, the mistake which i made was DNS forward lookup, ise host's should be added in dns Forward lookup.

and the problem is solved...

0 Helpful

Go to solution
TTGP
Level 1
Level 1

‎12-16-2019 08:17 AM

I am receiving this same error. But, I am able to ping between the PAN and PSN with both IP and FQDN. The certificate is in the trusted certificate with the option checked 'Trust for authentication within ISE'. There is a firewall in between with permit ip rules for the two ip addresses. I get the PAN I get the import certificates window. On my log viewer I can see the the PAN going out on 443 to the PSN and getting TCP Fins and the connection tears down. What am I missing?

0 Helpful

Go to solution
Minnesotakid
Level 1
Level 1

‎01-08-2024 07:49 AM

Hit this one on 3.2 and commenting for anyone's visibility. 

Issue was due to 2 different things:

1. DNS resolution in both directions between PAN and new node wasn't working. New node DNS server configuration was pointed at incorrect server. 

2. After DNS resolution was corrected, it was discovered the new server's subdomain configuration was slightly off(and due to that, as was the self-signed certificate). 

PAN was looking for isenode.example.company.com when the new node was only configured as isenode.company.com

Hope this helps!

0 Helpful
Customers Also Viewed These Support Documents
Top