10-16-2019 04:51 PM
Hi all,
i have problem with adding secondary node to primary. I can ping them, nslookup on both sides gives me correct entry. I did tcp dump on destination FW, don't see that something is blocking...primary is using 443 port when I try to register secondary node.
PRIMARY:
ise01/admin# nslookup ise02.net.biz
Trying "ise02.net.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31656
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ise02.net.biz. IN ANY
;; ANSWER SECTION:
ise02.net.biz. 3600 IN A 172.28.208.208
ise01/admin# ping ise02.net.biz
PING ise021.net.biz (172.28.208.208) 56(84) bytes of data.
64 bytes from 172.28.208.208: icmp_seq=1 ttl=59 time=25.3 ms
64 bytes from 172.28.208.208: icmp_seq=2 ttl=59 time=24.7 ms
64 bytes from 172.28.208.208: icmp_seq=3 ttl=59 time=24.6 ms
64 bytes from 172.28.208.208: icmp_seq=4 ttl=59 time=25.1 ms
ise02/admin# nslookup ise01.net.biz
Trying "ise01.net.biz"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1261
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ise01.net.biz. IN ANY
;; ANSWER SECTION:
ise01.net.biz. 293 IN A 10.64.96.96
ise02/admin# ping ise01.net.biz
PING ise01.net.biz (10.64.96.96) 56(84) bytes of data.
64 bytes from 10.64.96.96: icmp_seq=1 ttl=59 time=24.7 ms
64 bytes from 10.64.96.96: icmp_seq=2 ttl=59 time=24.4 ms
64 bytes from 10.64.96.96: icmp_seq=3 ttl=59 time=24.5 ms
64 bytes from 10.64.96.96: icmp_seq=4 ttl=59 time=24.4 ms
Both devices use same version.
This is message that I'm getting :
Solved! Go to Solution.
10-18-2019 07:32 AM
Hi,
problem was not with certificate. Problem was that on primary I had patch installed which I hadn't on secondary. After removing patch issue was resolved.
Thanks,
N
10-18-2019 02:41 AM
Hello,
Remember when setting up ISE in distribute mode , both Primary and Secondary PAN need to trust each other aside all that you have confirmed above.
Trust between the two PAN is built on certificate (mostly self-signed ). Have you export the default self signed certificate from the Secondary PAN to import into the Primary PAN vice versa . After doing all you mentioned and this , you should be able to add the Secondary PAN to the Primary. But if you are using externally signed certificate , then you have to create CSR to be signed externally ( But why would one need that , this is not externally faced ) , or using your corporate internal CA ( this option is also good because it gives longer expiry which depend on your corporate security polices).
Let me know is this helps
10-18-2019 07:32 AM
Hi,
problem was not with certificate. Problem was that on primary I had patch installed which I hadn't on secondary. After removing patch issue was resolved.
Thanks,
N
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide