04-29-2019 01:37 AM
Hi ,
ISE 2.6 gives the alarm "Queue Link Error"
Description says :
All nodes are Up and Completely synced and has been up and running for more than 2 months. We have not restarted or resynced any of the nodes recently
Any ideas why we see this error?
Solved! Go to Solution.
04-29-2019 08:10 AM - edited 04-29-2019 08:12 AM
It seems you already engage Cisco TAC support. If so, please continue working with the support that way.
I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528
11-20-2019 03:10 AM
Hi @ferenc.vissers ,
Please check if the CA service is running. Sample output from my lab:
ise101/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 2427
Database Server running 106 PROCESSES
Application Server running 50634
Profiler Database running 4738
ISE Indexing Engine running 52494
AD Connector running 13555
M&T Session Database running 4547
M&T Log Processor running 9849
Certificate Authority Service running 13302
You can also go to Certificates -> Certificate Authority -> Internal CA settings and check if it shows running.
04-29-2019 08:10 AM - edited 04-29-2019 08:12 AM
It seems you already engage Cisco TAC support. If so, please continue working with the support that way.
I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528
09-09-2019 06:53 AM
Hi guys,
We have same problem - version 2.6.0.156, Patch2 - not service impacting but customer has access to ISE portal + also getting the emails from ISE with the alert.
****************************************************
Alarm Name :
Queue Link Error
Details :
Queue Link Error: Message=From ISE2 To ISE1; Cause={tls_alert;"unknown Ca"}
Description :
The queue link between two nodes in the ISE deployment is down.
****************************************************
Both nodes are up and in sync, certs present.
Is there a known fix?
Regards
11-09-2021 08:42 AM
Hi Lulian,
Recently I found this issue due to additional certificates issued (customer changed the name of some nodes). I deleted the extra certificates and everything seems to work now. Take a look of the CA certificates.
09-26-2019 08:44 AM
@hslai wrote:It seems you already engage Cisco TAC support. If so, please continue working with the support that way.
I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528
The issue is NOT resolved. the bug ID stated that the issue is resolved in version 2.6 patch 2. Guess what, I am getting the same message and I am running version 2.6 patch 2:
Queue Link Error: Message=From ise1.webcast.com To ise2.webcast.com; Cause={tls_alert;"unknown Ca"} |
09-26-2019 09:06 AM
@cciesec2011 wrote:
@hslai wrote:
It seems you already engage Cisco TAC support. If so, please continue working with the support that way.
I found recent bugs filed on that alarm -- CSCvp45147 and CSCvp45528
The issue is NOT resolved. the bug ID stated that the issue is resolved in version 2.6 patch 2. Guess what, I am getting the same message and I am running version 2.6 patch 2:
Queue Link Error: Message=From ise1.webcast.com To ise2.webcast.com; Cause={tls_alert;"unknown Ca"}
You will need to escalate through TAC and make them aware. this forum is not for troubleshooting. For more information on getting help from the community, please visit https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356
10-21-2019 06:04 AM - edited 10-21-2019 06:07 AM
Hi,
when a new installation of an ISE 2.6 is made and patch 2 is installed, which should fixe the bug, in my case the bug appears again.
The described workaround also contains a wrong statement. There is no usage "ISE Root CA". If usage "Admin" is selected, which is most likely the case, the bug persists.
Is there another workaround or deadline for patch 3 that will hopefully resolve this? I'm also waiting for Patch 3 to fix the delivery of the certificate chain (similar to ISE 2.4 Patch 10: CSCvp75207).
Regards
10-22-2019 01:03 AM
10-22-2019 05:21 AM
Thanks for the quick answer. Curious was also the content in the internal CA. Here was the ISE Root CA, Sub CA, Endpoint CA, ... listed several times.
We decided to uninstalled patch 2, then install patch 1 and then patch 2, again. Currently the bug has disappeared. Hopefully also permanently.
Regards
10-23-2019 04:12 AM - edited 10-25-2019 02:17 AM
Update to my post.
the solution was not permanent. We will do a rollback of patch 2 and maybe go to patch 1 and hope that this works. With rollback to ISE 2.6 without patch and reinstallation of patch 1 and 2 it lasts only one day without error.
Installation steps performed:
1. Setup 2x ISE 2.6 VMS with ISO "ise-2.6.0.156.SPA.x86_64.iso 18-Feb-2019"
2. Configuring the ISE environment with importing a backup of previous installation and making customizations
3. Sign CSR for Admin and EAP usage with internal PKI for ISE01 and ISE02
4. Apply Patch 2 "ise-patchbundle-2.6.0.156-Patch2-19072502.SPA.x86_64.tar.gz 26-Jul-2019" (updated Post. Patch 2 was installed before the node registration)
5. Register (by the way successfully with no error) Node ISE02 do Admin Node ISE01
6. "Queue Link Error" after a few hours.
Regards
10-24-2019 12:35 AM
11-12-2019 06:08 AM
Patch 3 installed, no luck here.
11-18-2019 01:09 PM
Not a guarantee, but I had this bug after a fresh install with Patch 3.
Here is what fixed mine. The bug workaround is not the best description, but below is more detailed.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred
Go to Certificates > Certificate Signing Request
Change the drop down from Multi-Use to ISE Root CA
This will change the form to just a button to replace the ISE Root CA chain. This did not cause a reboot.
This fixed the queue link error, live logs, and node status.
11-19-2019 12:10 AM
Hi,
Thnx, but what if there is no option 'ISE Root CA'?
11-19-2019 01:47 PM
The solution proposed by @Dustin Anderson worked for me too.
To replace the ISE Internal CA cert, you need to create a signing request (yeah it's a bit weird to create a request that is fulfilled by the requester ...)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide