Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3866
Views
0
Helpful
4
Replies

ISE Distributed Node Registration Issue - "Registration Failed" Status

zma
Level 1
Level 1

‎02-17-2016 06:57 PM - edited ‎03-10-2019 11:30 PM

I have a distributed ISE 2.0 deployment with 6 nodes (2 X PAN, 2 X MNT, 2 X PSN), there is no firewall in the middle. I have successfully added all 5 nodes into the PRI PAN and all the messages show successfully added for each of them.

However, after Sync, the Secondary PAN and PRI MNT's Node Status showing Yellow triangle and the "Registration Failed". The option "Syncup" is also disabled. All other 3 nodes show green square "Connected".

They have the same config and are added the same way. What could be the problem. Please help.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

jj27
Spotlight
Spotlight

‎02-17-2016 07:19 PM

What version of ISE?

SSH to the CLI.  Can you ping each node from each other?

Are there forward and reverse DNS entries for all nodes?

Are the timezones for all nodes the same and is the NTP server the same and all node times synchronized?

0 Helpful

zma
Level 1
Level 1
In response to jj27

‎02-17-2016 10:16 PM

They are ISE 2.0. Network connectivity is all fine, ping or SSH no problem. I did miss DNS initially and ISE would not allow any node to be added without DNS. So I added DNS entries and they all got added successfully. But I do not have reverse DNS entries, not really sure if they are needed or not. They are all configured in the same timezone with same NTP servers. I will check the NTP status tomorrow.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to zma

‎02-18-2016 06:18 AM

If you have NTP and other basic stuff configured fine. You can quickly reload the Secondary PAN and PRI MNT. We could have looked at the logs but I'm sure the replication logging components were not set to DEBUG level.

~ Jatin

~Jatin
0 Helpful

jj27
Spotlight
Spotlight
In response to zma

‎02-18-2016 06:19 AM

It's required for those DNS entries to be there. Not sure it is your problem, but definitely required.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID209

Configure the Reverse DNS lookup for all Cisco ISE nodes in your distributed deployment in the DNS server. Otherwise, you may run into deployment related issues when registering Cisco ISE nodes, and restarting Cisco ISE nodes.
0 Helpful
Customers Also Viewed These Support Documents