11-13-2013 04:04 AM - edited 03-10-2019 09:05 PM
Hello everyone !
There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.
When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The result of attempting to register this node is the blank warning pop-up window, progress of registration stops without registration of policy node (screenshot in attachment). The same
thing happens when I try to register a secondary monitoring nodes (that was removed earlier, like in the case with police node). I also attach a portion of log file taken from admin node (CLI) in the moment of attempts registration of police / monitoring nodes.
In the DNS is ok (defined in both side), all certificates are valid.
Maybe somebody has already found a similar mistake ?
Sincerely,
Andrey
11-14-2013 09:51 AM
Please check the following Prerequisites
The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes that are part of your distributed deployment in the DNS server.
•The primary Administration ISE node and the standalone node that you are about to register as a secondary node should be running the same version of Cisco ISE.
•Node registration fails if you provide the default credentials (username: admin, password: cisco) while registering a secondary node. Before you register a standalone node, you must log into its administrative user interface and change the default password (cisco).
•You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
•If you plan to register a secondary Administration ISE node for high availability, we recommend that you register the secondary Administration ISE node with the primary first before you register other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
•If you plan to register multiple Policy Service ISE nodes running Session services and you require mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group. You must create the node group first before you register the nodes because you need to select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
•Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the standalone node (that you are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
•After registering your secondary node to the primary node, if you change the HTTPS certificate on the registered secondary node, you must obtain appropriate CA certificates that can be used to validate the secondary node's HTTPS certificate and import it to the CTL of the primary node. See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
11-15-2013 08:54 AM
Hi Ravi!
Thanks for the answer!
I strictly followed all the instructions in accordance with documents.
Once again, checked everything again - all the relevant documents.
Sincerely,
Andrey
11-15-2013 08:02 AM
Did you change ISE hostname or domain name ?
11-15-2013 08:58 AM
Hi Venkatesh!
Thanks for the answer!
Change hostname or domain name were not any.
It was only deregister/register.
Sincerely,
Andrey
11-15-2013 10:19 AM
We found a bug during our first installation. We'd try and join a node, it would sit forever then give an error. Believe it or not, we performed a Ping test from the Troubleshooting tools on the PAN's GUI. Afterwards we tried to add the node again and boom it went right through. So afterwards every node we added we performed the same steps. It doesn't make sense but it worked for us. We sometimes skipped the ping and tried a node and sure enough nothing untill we tested connectivity. Not sure if it had to update the CAM tables before it could reach it. Oddly enough it saved a call to TAC.
Sent from Cisco Technical Support iPhone App
11-18-2013 04:45 AM
Hi Ryan!
Thanks for the answer!
Your proposed solution - in my case failed.
I contacted with support (TAC) - case is recognized as a bug CSCul40235 "ISE 1.1.4 patch 7 fails registration with blank message".
Solution (in current time) - remove patches up to 6 (i remove patches 7 and 8).
A little later I'll write what result.Sincerely,
Andrey
11-18-2013 07:01 AM
Andrey -Good to know. Hope it works out buddy.
Sent from Cisco Technical Support iPhone App
11-19-2013 01:23 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: