12-05-2012 05:07 PM - edited 03-10-2019 07:51 PM
Hi All,
I've got a split domain setup, with 8 ISE nodes on the inside network, and 2 nodes on a DMZ in a different DNS domain.
When we first set this up a few months ago, it turned out that there was a bug that didn't allow multiple domains, and we tested a workaround at the time, so I'm guessing it's not too common yet (recent code releases (patch 4 and 1.1.2) fixed this issue, but.....
I've configured a CRL for the CA certs from the internal domain.
The ISE's on the DMZ have nothing to do with the internal domain, so I wouldn't have expected them to be interested in the CRL which is associated with a certificate (and chain) used on internal ISE's only.
Unfortunately though the DMZ ISE's are also trying to get to the CRL URL which is not accessible from the DMZ, so flagging up masses of errors. Any way of stopping individual PSN's from trying to do this?
Incidentally, even though the timeout to retry the download is hours, the external nodes seem to be retrying every 2-4 minutes.
I had to delete 18000 alarms today, so wasn't too pleased to find that you can only delete alarms 100 at a time???????????????
Cheers
12-05-2012 05:40 PM
A few questions:
I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
-James
12-16-2012 04:29 PM
The internal nodes all use the same CA. The problem seems to be that even though the DMZ nodes have no need for the certificate in question, they still attempt download of the CRL.
The DMZ nodes use an external CA for which no CRL is currently set up.
All one deployment, split domain.
Admin talking to PSN through firewall. That communication is fine, but no way will DMZ node be able to talk to the internal CA.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide