Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1366
Views
0
Helpful
4
Replies

ISE GUI not working after Upgrade to 2.6

mitali02
Level 1
Level 1

‎12-12-2019 02:22 AM

Hi,

 

I have ISE  VM configured with 2 interfaces- Gig0 for Mgmt access and Gig1 for TACACS. After the ISE upgrade from 2.3 to 2.6, I am unable to login the GUI or ssh via Gig0 interface. I have tried safe mode but unable to login then either. It only works if I disable Gig1 which is not ideal as we need TACACS servers Up. I have Split deployment and the other ISE node didn't have this issue. What can I do it to make both ports work?

 

0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎12-12-2019 04:44 PM

Just a random thought, and something that has bitten me in the past: did you save the ISE ADE-OS config before starting upgrade? e.g. if you plan to patch an ISE node and you have unsaved ADE-OS changes then those will be lost. This could also apply to upgrades.

Which makes me think that perhaps you some static routes or additional default gateway statements on that ISE node that got lost after the upgrade?

If disabling Gig1 allows you to log into the ISE admin GUI then perhaps it has to do with IP routing, and not with an ISE issue specifically.

 

By design, you cannot dedicate TACACS+ exclusively to one interface. Every ISE interface listens for RADIUS and TACACS and the gig0 is reserved for ssh and tcp/443 access (iptables firewall rules).

Only the web portals can be configured exclusively for specific interface usage.

 

Have look below for a guidance on what can run on which interface:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

 

0 Helpful

mitali02
Level 1
Level 1
In response to Arne Bier

‎12-13-2019 01:50 AM

Hi Arne,

Thanks for your prompt reply. I saved the running config before the Upgrade.  I do have static routes and default-gateway commands. Gig0 is the default-gateway and static routes from Gig1. They seem to be present when I check the routing table. And ping from the ISE node also works as expected.From outside, I can reach Gig1 but not Gig0. By design, we want to have 2 separate ports. Gig0 is the default Mgmt port and that is what we have. We have dedicated Gig1 for TACACS and have relevant static routes for that. Any other option now besides spinning a new VM?

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to mitali02

‎12-14-2019 07:04 PM

Likely one of the static routes have an impact. I would suggest to test Gig0 from the same subnet as it.

You might want to engage TAC to check the configurations or recreate.

0 Helpful

Arne Bier
VIP
VIP
In response to mitali02

‎12-16-2019 10:56 PM

I don't suppose you have an ADE-OS show run before the upgrade to see if there are any other config changes? If this worked on ISE 2.3 then the logic must have been correct at some point.  Best to get TAC involved

0 Helpful
Customers Also Viewed These Support Documents