Cisco Community
English
Register
Announcing the Project Gallery! Click here to read community member deployment stories and share your projects!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

814
Views
0
Helpful
5
Replies
Highlighted
h.dam
Beginner
Beginner
‎02-22-2017 02:00 PM
‎02-22-2017 02:00 PM

ISE HA mode prerequisites

Hi,

I'm a newbee on ISE. I'd like to know what are the prerequisites if I install two ISE vm in HA mode.

Is DNS server one of the prerequisites? If yes, can I use the ISE vm to be a DNS server?

Thanks in advance.

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rahul Govindan
VIP Advocate VIP Advocate
VIP Advocate
‎02-22-2017 05:02 PM
‎02-22-2017 05:02 PM

These are the guidelines to

These are the guidelines to set up 2 ISE nodes in distributed deployment:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID209

DNS is a requirement and the Nodes should be able to resolve the DNS name of the peer. ISE cannot act as a DNS server.

View solution in original post

0 Helpful
Reply
5 REPLIES 5
Highlighted
Rahul Govindan
VIP Advocate VIP Advocate
VIP Advocate
‎02-22-2017 05:02 PM
‎02-22-2017 05:02 PM

These are the guidelines to

These are the guidelines to set up 2 ISE nodes in distributed deployment:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID209

DNS is a requirement and the Nodes should be able to resolve the DNS name of the peer. ISE cannot act as a DNS server.

View solution in original post

0 Helpful
Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
‎02-22-2017 11:37 PM
‎02-22-2017 11:37 PM

In addition to what Rahul

In addition to what Rahul correctly stated, you also need a working external ntp server and your default gateway need to be reachable.

ISE checks all of these during the initial cli setup and, if any are not working, setup will not allow you to proceed with product initialization.

0 Helpful
Reply
Highlighted
h.dam
Beginner
Beginner
‎02-23-2017 02:02 PM
‎02-23-2017 02:02 PM

Hi,

Hi,

In fact, we use cisco UCS. The ISE is installed as a VM.

As you said, ISE cannot be a DNS server, I'll try to create another VM with  DNS service activated. The reason I don't make use of the corporate DNS server because this ISE network is an separated one.

If the above methode won't work, then I'll try to use corporate DNS crossing the wan links.

0 Helpful
Reply
Highlighted
Rahul Govindan
VIP Advocate VIP Advocate
VIP Advocate
‎02-23-2017 02:19 PM
‎02-23-2017 02:19 PM

Sure, you can have a Windows

Sure, you can have a Windows Server on the UCS acting as DNS and NTP server if you want to keep it separate from the Corp network.

0 Helpful
Reply
Highlighted
Venkatesh Attuluri
Cisco Employee
Cisco Employee
‎03-13-2017 08:10 AM
‎03-13-2017 08:10 AM

just to add to this

just to add to this conversation here If you have two Administration nodes deployed in a high-availability pair, you must ensurethat each of them have the same license capabilities. Generate licenses with both UDIs and then add the licenses while each node is in a standalone or primary state.

0 Helpful
Reply
Latest Contents
ASA 5506-x, firepower, can't update
Created by dm on 08-05-2020 10:54 PM
2
0
2
0
Hello! I run 6.2.3.15.When I click download updates in ASDM I get:Download updates failed: Peer certificate cannot be authenticated with known CA certificates I have 3 identical devices and all of them have the same problem.. How can I fix ... view more
Adding Exception Subnets to Umbrella Connector for ASA Firew...
Created by R. Clayton Miller on 08-05-2020 02:22 PM
0
10
0
10
You would like to use the ASA Firewall Umbrella Connector to enforce DNS policy with Umbrella.  However you would also like to exclude certain IP addresses or subnets from using this policy.  I recently had the need to do this, had a bit of tro... view more
Crytophgraic algoritms required by the secure gateway do not...
Created by latenaite2011 on 08-03-2020 09:33 PM
1
0
1
0
Hi Everyonem Just wondering if anyone knows why I am getting an error that says "Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect.  Please contact your network administrator.".  See attached... view more
20 Cybersecurity Considerations for 2020: Download the Cisco...
Created by Kelli Glass on 08-03-2020 02:57 PM
0
0
0
0
The Cisco 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing topics: the impact of vendor consolidation, cybersecurity fatigue, outsourcing, top causes of downtime, the most impactful threats, and more. The repo... view more
Stealthwatch Identity Certificate issue
Created by donald.heslop1 on 08-03-2020 02:24 PM
0
0
0
0
Hi, Has anyone run into the "Channel down" issue when updating the identity certificate on the Stealthwatch SMCv and SFCv. I'm doing a POC for a client and every time I go an update the identity cert the SMC says "it could save the configuration" and... view more
Content for Community-Ad

Cisco Community May 2020 Spotlight Award Winners

Follow our Social Media Channels