Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
51909
Views
215
Helpful
51
Replies

ISE 2.6 alarm "Queue Link Error"

Go to solution
merylmohan
Level 1
Level 1

‎04-29-2019 01:37 AM

Hi ,

 

ISE 2.6 gives the alarm "Queue Link Error"

 

Description says : 

"Please check and restore connectivity between the nodes. Ensure that the nodes are up and running. Ensure that ISE Messaging Service ports are not blocked by firewall. Please note that these alarms could occur between nodes, when the nodes are being registered to deployment or manually-synced from PPAN or when the nodes are in out-of-sync state or when the nodes are getting restarted"
 

All nodes are Up and Completely synced and has been up and running for more than 2 months. We have not restarted or resynced any of the nodes recently

 

Any ideas why we see this error?

8 people had this problem
0 Helpful
51 Replies 51

Go to solution
old_account_inacctive
Level 1
Level 1
In response to AMDMan64

‎08-09-2020 10:12 PM

Yes, I could fix it togehter with TAC/Servcie Partner.

 

We installed some temporary PLUS Licenses. After that we could exchange the Certifactes.

As I said, It worked, but it is pretty unsatisfying that I have to get some PLUS Licenses to resolve such kind of issue.

 

@AMDMan64 wrote:

Any luck fixing this?  Our environment is showing the same error.   I have a TAC case open and we're unable to get logging from one of our servers due to the error.  The odd thing is 3 of our 4 servers got new certs, but this one is refusing to - our second administration node.

We used to have Plus licensing and we moved away from it.  The hosts that are working generated certs after we moved away, which is the strangest part.

Definitely not a cool situation.  Who cares if you generate a CA, you can't use it for anything except generating certs for signing requests, so that error is completely worthless.

 

Go to solution
gdjm91@hotmail.com
Level 1
Level 1
In response to james.n.white36

‎11-26-2021 07:51 AM

Thank you so much for this post. I've been troubleshooting this issue over a week.

 

So, basically we cannot have the ISE Messaging certificates signed by our own CA. It must be issued by ISE internal CA, otherwise ISE Messaging breaks.

0 Helpful

Go to solution
melakumare
Level 1
Level 1
In response to james.n.white36

‎06-01-2022 03:22 PM

Thanks it is worked for me after sync manually.

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-13-2020 07:21 AM

FYSA I just migrated to a brand new cluster at a customer site on Friday (10/9/20) running 2.7patch2.  I also hit the queue link bug identified here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp45528/?rfs=iqvred

Re-generating ISE Root CA certs and then the messaging service certs resulted in fixing system summary and blank (radius/tacacs) live log issues.

0 Helpful

Go to solution
R M C
Level 1
Level 1

‎10-12-2021 11:49 AM

Hi All

 

Sorry to dredge up an old post, but I have been experiencing this issue also.  Queue link error due to invalid ISE Messaging cert. 

We have a simple primary/secondary node deployment and I could see that the Certificate Services Node CA in the chain was issued by a root CA that didn't exist, in my case the secondary node.

 

I was unable to perform the Generate CSR for the ISE Root CA fix previously as our deployment only has Base licences, it was saying Plus licences required, however after upgrading to 2.6 Patch 10, previously on Patch 5, I was able to generate the CSR and update the CA chain.  It automatically updated the ISE messaging cert so I didn't have to generate a CSR for that.

 

Live logs are back and queue link error no more....

 

We are due to upgrade to 2.7 soon... so I am hoping it doesn't re-introduce the issue...  Hopefully now the trust chain is fixed it will be OK.

 

Hopefully this will help someone.

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to R M C

‎10-12-2021 12:20 PM - edited ‎10-12-2021 12:20 PM

Hi @R M C,

This behavior was identified with bug CSCvt94587 (although in release notes, apparently not public), which was fixed in patch 10 for v2.6.

Same bug if fixed in patch 5 for v2.7.

Once Root CA is generated, you are good now, for the next 5 years (this is for how long is ISE Messaging certificate issued by default).

Btw, there was an easy workaround here, to disable use of ISE Messaging Service (under Administration / System / Logging, checkbox with Use "ISE Messaging Service" for UDP Syslogs delivery to MnT). After you uncheck this option, ISE exchange data via traditional way, all logs are visible and no more alarm.

BR,

Milos

Go to solution
spaansj05
Level 1
Level 1

‎11-07-2021 03:29 PM

This issue popped up just a bit ago on my ISE deployment that I upgraded from 2.4(with latest patch) to 3.0 Patch 4. I did not do a direct upgrade, I did a backup and restore upgrade, meaning I built new nodes and restored the data from the old nodes to the new nodes. After getting the cluster up and running I started seeing error logs in ISE and found this thread. 

 

Regenerating the certs for Root CA and Messaging Service seems to have fixed the issue. 

Customers Also Viewed These Support Documents