Solved: ISE 2.7 Clustering Issue

viv42 · ‎06-20-2023

Hi Team,

I have a total of 4 ISE nodes on a VM medium size. Previously, it was on 2.3 where we are facing multiple issues. Recently I migrated that server with the fresh installation on version 2.7 patch 9 on a newly created VM host using ISO image. I have installed these nodes one by one in standalone mode, configured the same policies and IP schema, and dismantled the old VM host servers.

Out of 4 nodes, 3 nodes successfully get into the cluster and working fine. One was able to reregister but not getting synced with others.

I tried to de-register, service start-stop, reload, and factory reset, but still, it was not able to sync. The error is de-register the node and register it again.

I have also checked the reachability part and I can able to ping and get the DNS lookup of all other nodes from the affected node.

Please suggest any further troubleshooting if possible.

Nancy Saini · ‎06-23-2023

Check things in the following order:

PAN should be able to do both forward and reverse nslookup of the affected node.
Check if communication is allowed between PAN and the problematic node for TCP 443, 12001 and 8671.
Take a packet capture on PAN while registering the node and check communication with problematic server's IP. (Check if SSL handshake is getting completed for TCP port mentioned in #2)
You can also do "show logging application replication.log tail" on the problematic node while doing the registration and check if any exceptions or error message seen.

If nothing conclusive found, would suggest reaching out to TAC.

View solution in original post

marce1000 · ‎06-20-2023

- Consider migrating to (more) recent version(s) of ISE : https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Aref Alsouqi · ‎06-21-2023

Did you try the "application reset-config ise" on the node that is giving these issues? if so, maybe you can move the primary PAN persona to the secondary PAN and see if that helps. Alternatively, I would try to get TAC engaged.

viv42 · ‎06-22-2023

Hi Aref,

The affected node is a PSN that is not able to sync with other nodes. I have already tried "application reset-config ISE" but it didn't work.

The node was able to register within a minute but after that it was not able sync.

Aref Alsouqi · ‎06-23-2023

I would try to move the primary PAN as suggested before, alternatively I think TAC could help. If not, maybe redeploying that node from the scratch would be a fairly quick option.

Nancy Saini · ‎06-23-2023

Check things in the following order:

PAN should be able to do both forward and reverse nslookup of the affected node.
Check if communication is allowed between PAN and the problematic node for TCP 443, 12001 and 8671.
Take a packet capture on PAN while registering the node and check communication with problematic server's IP. (Check if SSL handshake is getting completed for TCP port mentioned in #2)
You can also do "show logging application replication.log tail" on the problematic node while doing the registration and check if any exceptions or error message seen.

If nothing conclusive found, would suggest reaching out to TAC.

viv42 · ‎06-23-2023

Hi Aref, Thank you for the suggestion. I will go for redeploying if any of the troubleshooting not works.

Hi Nancy,

I will check all of the things which you mentioned in your reply and will let you know.