Solved: ISE 2.7 TACACS Issue?

NashLena · ‎01-18-2021

Strange Device Admin issue in a new 2 node deployment.

Only 1 of the nodes will service TACACS requests.

Tested on both IOS and NX-OS and if they try to send TACACS requests to the 'secondary' node they fail and are not recorded in any ISE logs.

If I remove the Device Admin role from the secondary node and re-add it, TACACS starts working on this node but stops responding on the primary node.

If I then remove Device Admin from primary node and re-add, it starts working again on primary node but stops working on secondary.

2 x 3615 Appliances running ISE 2.7 Patch 2

Both nodes are configured with Admin, Monitoring, Policy Service (including Device Admin) and PXGrid

Using Smart Licensing, has 2 Device Admin licenses in portal (and shown correctly as 'in use')

I'd be grateful if anyone has seen this or something similar before and has any advice. I would go straight to TAC but there is an issue with the purchased support package being correctly registered and I'm waitying for it to get sorted by the customer / supplying partner

Thanks

https://19216811.cam/ https://1921681001.id/

martin.fischer · ‎01-18-2021

Hi @NashLena

Seems like a bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw47006

I think you have to sort out your issue with the contract and engage TAC for further troubleshooting.

View solution in original post

martin.fischer · ‎01-18-2021

Hi @NashLena

Seems like a bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw47006

I think you have to sort out your issue with the contract and engage TAC for further troubleshooting.

fthiel92 · ‎01-28-2021

Well this is interesting because we do have many TACACS errors related to Nexus devices being not able to reach ISE/TACACS and not impacting Catalyst devices ... will have a look at that bug conditions !