Re: ISE 3.1 Question

lolit6 · ‎08-08-2023

i have been trying to find a solution to a silly issue. i tried to post on cisco forums but it was broken. we have one main office (2 ISE instances). we have three remote offices (1 ISSE PSN in each). i implemented a hub and spoke setup of VPN policies for to allow all the ISE instances to communicate with each other. two of the remote offices and main office can communicate. however the latest office to be added cannot communicate with the remote offices. communication with the main office has no isseus. so i have the well known error "Queue Link Error: Message=From FQDN To FQDN; Cause=Timeout". my question is two parts. do these instances have to be able to communicate with each other? and if so, why? my thought is since they all can communicate with the main office and the primary instance, what does it matter? i am working with tech support to get the hub and spoke working but its taking some time (yay i found a new issue). thanks for any assistance.

https://showbox.bio https://tutuapp.uno/

Milos_Jovanovic · ‎08-09-2023

Hi @lolit6,

It really depends on your current setup and which roles are running on which nodes. If you have PAN/MnT in hub location, and only PSN in spoke locations (and you are not using node synchronization), then that is everything you need.

There are already similar discussions:

https://community.cisco.com/t5/network-access-control/distributed-ise-nodes-and-communication-between-psns/td-p/4582155

https://community.cisco.com/t5/network-access-control/distributed-environment-ise-ports-communication/td-p/3483023

Kind regards,

Milos