02-21-2018 05:01 PM
Hello
I have joined my ISE 2.3p1 to an AD forest which has two way trust relationship with a bunch of other AD forests.
As you can see below I have selectively white listed a subset of these forests for my Authentication. Two of those non-white listed domains (cap and devcap) are causing ISE to complain.
Q1: Why do I constantly see this stuff in the ISE CLI logs? I didn't blacklist them, and I don't see this for any other domain that I haven't white listed either. What is the difference between blacklisting and simply not using them?
06/02/2018 06:16:13,WARNING,140182414153472,Added to black list: domain=devcap.******** DC=a04wndm31.devcap.******** addr=161.143.153.140 TTL=06:16:23 reason=Network,lwadvapi/threaded/dcmanager.cpp:269
06/02/2018 06:16:16,WARNING,140182414153472,Added to black list: domain=cap.******** DC=a04wpdm61.cap.******** addr=161.143.155.22 TTL=06:16:26 reason=Network,lwadvapi/threaded/dcmanager.cpp:269
This stuff is clogging my Splunk database and those guys charge by the MB
Q2: I don't see a value for the Forest column for those two domains. Is that a problem for ISE? All the other domains have a forest value displayed.
I ran Diagnostic Tool (all tests) and I got no errors at all.
Solved! Go to Solution.
02-24-2018 07:06 AM
For the two domains showing no forest, it's probably due to ISE unable to discover such info through DNS and/or Global Catalog queries. As they are not used for authentications, it should have no impact without forest info.
02-22-2018 07:18 AM
ISE will blacklist a domain controller if there is some network error so that ISE does not use the bad DC and discovery is triggered to find a better DC.
apart from any network connectivity issue, it is also possible that the firewall is dropping the packets.
More troubleshooting is needed here to find the case of this. Would suggest to engage TAC to find the root cause of it.
I will be researching more for the 2nd question.
Thanks,
Nidhi
02-24-2018 07:06 AM
For the two domains showing no forest, it's probably due to ISE unable to discover such info through DNS and/or Global Catalog queries. As they are not used for authentications, it should have no impact without forest info.
04-03-2018 08:55 PM
Hello again
I am still seeing these SYSLOGs on a daily basis. I have asked my customer about these two domains but no response yet.
The constant SYSLOG events that I am seeing are (and related to the two domains I don't care about)
I have joined ISE to a domain controller that has many two-way trust relationships.
I whitelisted only those domains that I can access for authentication.
I did NOT whitelist these two domains that are causing me grief. Yet it seems that ISE is going behind my back and trying to be overly clever. The result is a constant stream of SYSLOGs to Splunk. Why can't it simply ignore the domains that I explicitly didn't whitelist?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide