cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1835
Views
5
Helpful
8
Replies

ISE does not register nodes - (blank pop-up window)

Andrey.Gulenko
Level 1
Level 1

Hello everyone !

There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.

When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The  result of attempting to register this node is the blank warning pop-up  window, progress of registration stops without registration of policy  node (screenshot in attachment). The same

thing  happens when I try to register a secondary monitoring nodes (that was  removed earlier, like in the case with police node). I  also attach a portion of log file taken from admin node (CLI) in the  moment of attempts registration of police / monitoring nodes.

In the DNS is ok (defined in both side), all certificates are valid.

Maybe somebody has already found a similar mistake ?

Sincerely,

Andrey

8 Replies 8

Ravi Singh
Level 7
Level 7

Please check the following Prerequisites

The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.

The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.

Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).

You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.

If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.

Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

Hi Ravi!

Thanks for the answer!

I strictly followed all the instructions in accordance with documents.

Once again, checked everything again - all the relevant documents.

Sincerely,

Andrey

Venkatesh Attuluri
Cisco Employee
Cisco Employee

Did you change ISE hostname or domain name ?

Hi Venkatesh!

Thanks for the answer!

Change hostname or
domain name were not any.
It was only deregister/register.

Sincerely,
Andrey

Ryan Coombs
Level 1
Level 1

We found a bug during our first installation. We'd try and join a node, it would sit forever then give an error. Believe it or not, we performed a Ping test from the Troubleshooting tools on the PAN's GUI. Afterwards we tried to add the node again and boom it went right through. So afterwards every node we added we performed the same steps. It doesn't make sense but it worked for us. We sometimes skipped the ping and tried a node and sure enough nothing untill we tested connectivity. Not sure if it had to update the CAM tables before it could reach it. Oddly enough it saved a call to TAC.

Sent from Cisco Technical Support iPhone App

Hi Ryan!

Thanks for the answer!

Your proposed solution - in my case failed.

I contacted with support (TAC) - case is recognized as a bug CSCul40235 "ISE 1.1.4 patch 7 fails registration with blank message".

Solution (in current time) - remove patches up to 6 (i remove patches 7 and 8).

A little later I'll write what result.

Sincerely,
Andrey

Andrey -Good to know. Hope it works out buddy.

Sent from Cisco Technical Support iPhone App

Hi Ryan!

I also hope that it will help someone else.
After removing the patches 7 and 8 and manual restart servers - this nodes have been successfully added (secondary monitoring and additional policy).

Sincerely,

Andrey

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: