Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2377
Views
0
Helpful
2
Replies

ISE 3.0 Diagnostic Tool failing on three items.

Anthony O'Reilly
Level 3
Level 3

‎12-16-2021 03:50 AM

Hi,

 

I have two ISE 3.0 (Patch 2) appliances. I ran an Active directory diagnostic check on ISE01 and there are three warnings which I need to look into.

 

Both appliances are failing on the same three items. 

 

ISE-01 ISSUE 1:

 

ISE-01 =

Test Name          :DNS A/AAAA record low level API query

Description        :Query for DNS A/AAAA record using resolv.conf configuration and res_query()

Instance           :AD_Domain

Status             :Warning

Start Time         :23:07:17 03.11.2021 GMT

End Time           :23:07:17 03.11.2021 GMT

Duration           :<1 sec

Result and Remedy...

Large DNS reply (1648 bytes) found in Address Record query response.

Large DNS replies can impact efficiency and usually indicate that ISE is not using a good Active Directory Site, or the DNS server response contains too many records.

 

ISE-01 ISSUE 2:

 

Test Name          :DNS SRV record query

Description        :Query for DNS SRV record using resolv.conf configuration and gethostbyaddr

Instance           :AD_Domain

Status             :Warning

Start Time         :23:07:17 03.11.2021 GMT

End Time           :23:07:17 03.11.2021 GMT

Duration           :<1 sec

Result and Remedy...

SRV record found.

Not all SRV records have IP, will need to run additional query for get IP.

 

ISE-01 ISSUE 3:

 

Test Name          :DNS SRV record size

Description        :Query for DNS SRV record size using resolv.conf configuration and gethostbyaddr

Instance           :AD_Domain

Status             :Warning

Start Time         :23:07:17 03.11.2021 GMT

End Time           :23:07:17 03.11.2021 GMT

Duration           :<1 sec

Result and Remedy...

SRV query size exceeds maximum limit of 4k. This may have negative impact on AD functionality. Check AD DNS configuration.

 

Can ISE determine the following:

 what SRV records do not have IP,?

 what SRV query size exceeds the max limit?

 

Are there any AD tools that I can run on the Domain Controllers to try and resolve these three issues? Should I add in the other DNS servers that the customer has (roughly 60-70 servers)?

 

Thanks

Anthony.

 

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎12-16-2021 01:25 PM

@Anthony O'Reilly  - is the AD integration functioning ok though?

 

I wonder if these DNS related symptoms are due to IPv6 results returned in the DNS SRV query. Perhaps the DNS server is responding on its IPv6 interfaces too.

I agree with you - the ISE AD diagnostics are great but some more detail would be appreciated (in the tool itself) - because it raises concerns and then leaves the user guessing

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎12-19-2021 10:27 PM

Arne gave an example on a SRV query at his response for "ISE 3.0.0.458 - Error joining ISE to AD domain" .

I would suggest to take network packet captures between ISE and DNS servers while attempting these tests.

0 Helpful
Customers Also Viewed These Support Documents