Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2695
Views
5
Helpful
5
Replies

ISE 2.7 TACACS Issue

neil.woodhouse
Level 1
Level 1

‎08-21-2020 07:31 AM

Strange Device Admin issue in a new 2 node deployment.

Only 1 of the nodes will service TACACS requests.

Tested on both IOS and NX-OS and if they try to send TACACS requests to the 'secondary' node they fail and are not recorded in any ISE logs.

If I remove the Device Admin role from the secondary node and re-add it, TACACS starts working on this node but stops responding on the primary node.

If I then remove Device Admin from primary node and re-add, it starts working again on primary node but stops working on secondary.

 

2 x 3615 Appliances running ISE 2.7 Patch 2

Both nodes are configured with Admin, Monitoring, Policy Service (including Device Admin) and PXGrid

Using Smart Licensing, has 2 Device Admin licenses in portal (and shown correctly as 'in use')

 

I'd be grateful if anyone has seen this or something similar before and has any advice. I would go straight to TAC but there is an issue with the purchased support package being correctly registered and I'm waitying for it to get sorted by the customer / supplying partner

 

Thanks

 

Neil

0 Helpful
5 Replies 5

hslai
Cisco Employee
Cisco Employee

‎08-24-2020 12:44 AM

I've not seen such issue before nor able to recreate it. Please engage Cisco TAC to troubleshoot.

0 Helpful

neil.woodhouse
Level 1
Level 1
In response to hslai

‎08-28-2020 07:47 AM

Unfortunately as mentioned, TAC is not an option at the moment.

I have however managed to resolve this by disbling Device Admin on both nodes, rebooting both nodes and re-enabling Device Admin on both.

 

0 Helpful

Michael Mitchell
Level 1
Level 1

‎01-08-2021 08:45 AM

I know this is old.  But we are seeing this issue as well on 2.7 patch 2.

 

Two Policy Nodes.  Both run Device Admin(TACACS).  For some reason our primary node stopped working, but the secondary still works.  If we disable and reenable device admin service on primary it will work, but then the secondary immediately stops working.  If you do reverse then it switches!  Very weird.

 

Posting to let people know this does happen.  Im going to try the method above to fix.  Disable, reboot, reenable device admin.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Michael Mitchell

‎01-09-2021 06:52 AM - edited ‎01-09-2021 06:54 AM

I've been lucky and not run in to this behavior, but I also haven't enabled/disabled device admin functionality on 2.7, I've only done TACACS deployment upgrades to 2.7 thus far and features were all enabled prior. 

It's possible you are hitting this known issue now logged against 2.4p13, 2.6p8, 2.7p2, and 3.0. 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw47006

I'm unaware if TAC has a hotfix, but if the suggested workaround doesn't help, they would be your next best course of action. 

0 Helpful

duncanmj
Level 1
Level 1
In response to Michael Mitchell

‎09-29-2021 02:51 PM

Just come across the same issue, ISE 2.7 Patch 2 with a two node deployment. Do you know if going to patch 3 or higher fixed the issue?

Customers Also Viewed These Support Documents