Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
1
Helpful
4
Replies

ISE distributed deploy

Go to solution
Kasper Elsborg
Level 1
Level 1

‎09-30-2023 01:43 AM

Hi Guys, I am a bit puzzled about this. I have implemented 2 ISE nodes in  Simple Two Node Deployment. Each node holds all personas. If I split it up, Ise03 holds, Admin and MnT, and Ise02 holds PSN personas, It still works, and clients gets AuthZ. NAD tacacs+ also works,  however the live logs are empty?

Any ideas?

Both servers has certifcate from MS AD, NTP are in sync, and DNS records are in place.

 

Regards Kasper

Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kasper Elsborg
Level 1
Level 1

‎09-30-2023 10:08 AM

Hi, So I've disabled the "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT" and then I have livelogs again. Then I reissued certificates for ISE Messaging Service on both node, but using the pxgrid template(it has both server and client). Reenabled the ISE Messaging Service" for UDP Syslogs delivery to MnT, and now it works.

KasperElsborg_0-1696093732331.png

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-30-2023 02:16 AM

what version of ISE - I am bit confused here, you mentioned 2 Node deployment, do you have 3rd node admin and Mnt ?

The Live Logs you looking hope Operations > TACACS > Live Logs

what switch model ? (may be run some debug and check is the logs shipping to ISE)

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to balaji.bandi

‎09-30-2023 06:09 AM - edited ‎09-30-2023 06:12 AM

Hi @balaji.bandi First it's a test lab that I have running. The deployment was as described ISE02, and ISE03, holding all personas, PSN, MnT and Admin. Everythin works, Radius, and Tacacs, and there are logs in both Operation->live logs, and operations->tacacs->livelogs. and ofcause my policy sets get hits. Then I split deployment up, and ISE03 now only has admin and MnT, and ISE02 now only has PSN. Everything works like before. Clients get dot1x authZ and there are hits in the policies, Tacacs works, however now there are no logs in any of the live logs.

 

ISE 3.1.0.518 patch 7

Switch is a WS-C3650-48PD

Br. Kasper

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1

‎09-30-2023 10:08 AM

Hi, So I've disabled the "Use "ISE Messaging Service" for UDP Syslogs delivery to MnT" and then I have livelogs again. Then I reissued certificates for ISE Messaging Service on both node, but using the pxgrid template(it has both server and client). Reenabled the ISE Messaging Service" for UDP Syslogs delivery to MnT, and now it works.

KasperElsborg_0-1696093732331.png

 

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Kasper Elsborg

‎09-30-2023 11:02 AM

glad to know all working, cheers for sharing your solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents