Solved: ISE In AWS Active Directory Diagnostic Tool test

pinglis · ‎12-06-2021

I have just added a our first AWS instance to you our ISE Deployment and when I join it to the Active Directory domain the following tests are failing/showing a warning:

The same tests on the physical appliances work.

On the AWS node an nslookup for _ldap._tcp.dc._msdcs for the SRV records for domain is working.

Any ideas?

pinglis · ‎12-10-2021

The problem appears to be with the AWS based DNS server. Switching to on premise DNS servers resolves the issue.

I m getting our DNS team to check the differences.

View solution in original post

thomas · ‎12-06-2021

The physical appliances are not in AWS.

Security Groups?

Network ACLs?

VPN firewall?

Other firewall?

See Cisco ISE Administration Node Ports

pinglis · ‎12-06-2021

There may be some firewall rules/ACLs but I am unclear which DNS server the ISE node is using for the tests As I said nslookup from node cli itself seems to be working but I know this DNS server is a layer below the application itself. Could the ISE application be picking up a different DNS server?

thomas · ‎12-09-2021

It should be using whichever DNS servers you have configured when you provisioned it.

You will need to SSH with your AWS private key to see the DNS server configuration with a `show run`.

pinglis · ‎12-10-2021

The problem appears to be with the AWS based DNS server. Switching to on premise DNS servers resolves the issue.

I m getting our DNS team to check the differences.