08-21-2020 07:31 AM
Strange Device Admin issue in a new 2 node deployment.
Only 1 of the nodes will service TACACS requests.
Tested on both IOS and NX-OS and if they try to send TACACS requests to the 'secondary' node they fail and are not recorded in any ISE logs.
If I remove the Device Admin role from the secondary node and re-add it, TACACS starts working on this node but stops responding on the primary node.
If I then remove Device Admin from primary node and re-add, it starts working again on primary node but stops working on secondary.
2 x 3615 Appliances running ISE 2.7 Patch 2
Both nodes are configured with Admin, Monitoring, Policy Service (including Device Admin) and PXGrid
Using Smart Licensing, has 2 Device Admin licenses in portal (and shown correctly as 'in use')
I'd be grateful if anyone has seen this or something similar before and has any advice. I would go straight to TAC but there is an issue with the purchased support package being correctly registered and I'm waitying for it to get sorted by the customer / supplying partner
08-24-2020 12:44 AM
I've not seen such issue before nor able to recreate it. Please engage Cisco TAC to troubleshoot.
08-28-2020 07:47 AM
Unfortunately as mentioned, TAC is not an option at the moment.
I have however managed to resolve this by disbling Device Admin on both nodes, rebooting both nodes and re-enabling Device Admin on both.
01-08-2021 08:45 AM
I know this is old. But we are seeing this issue as well on 2.7 patch 2.
Two Policy Nodes. Both run Device Admin(TACACS). For some reason our primary node stopped working, but the secondary still works. If we disable and reenable device admin service on primary it will work, but then the secondary immediately stops working. If you do reverse then it switches! Very weird.
Posting to let people know this does happen. Im going to try the method above to fix. Disable, reboot, reenable device admin.
01-09-2021 06:52 AM - edited 01-09-2021 06:54 AM
I've been lucky and not run in to this behavior, but I also haven't enabled/disabled device admin functionality on 2.7, I've only done TACACS deployment upgrades to 2.7 thus far and features were all enabled prior.
It's possible you are hitting this known issue now logged against 2.4p13, 2.6p8, 2.7p2, and 3.0.
I'm unaware if TAC has a hotfix, but if the suggested workaround doesn't help, they would be your next best course of action.
09-29-2021 02:51 PM
Just come across the same issue, ISE 2.7 Patch 2 with a two node deployment. Do you know if going to patch 3 or higher fixed the issue?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: