09-05-2013 08:04 AM - edited 03-10-2019 08:52 PM
At Customer Site I changed the domain name of our 4 ISE server before they were registered to any deployment. I regenerated a self signed certificate and started to register the other nodes to the deployment. This went well for the 2 PSN nodes which have a ip address in a different subnet. I tried to register the presumed secondarry PAN/MnT node and got the following error message "
Node beiing registerd has FQDN 'ISE-PAN-AP02.office.intern' which cannot be resolved. Please check your DNS configuration."
My DNS config is in order.
Can anyone please tell me want possible can be the cause of this?
Solved! Go to Solution.
09-11-2013 06:37 PM
Cisco strongly recommends not to change the ISE hostname or domain name once it is configured, as it’s a process to follow again to do all the activity.
Please go through the page 80 & 241 for the steps & information, the link is given below.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ug.pdf
09-06-2013 05:34 AM
The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example,
ise1.cisco.com
must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes that are part of your distributed deployment in the DNS server.
09-07-2013 07:08 PM
Please check these Prerequisites:
The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes that are part of your distributed deployment in the DNS server.
•The primary Administration ISE node and the standalone node that you are about to register as a secondary node should be running the same version of Cisco ISE.
•Node registration fails if you provide the default credentials (username: admin, password: cisco) while registering a secondary node. Before you register a standalone node, you must log into its administrative user interface and change the default password (cisco).
•You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
•If you plan to register a secondary Administration ISE node for high availability, we recommend that you register the secondary Administration ISE node with the primary first before you register other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
•If you plan to register multiple Policy Service ISE nodes running Session services and you require mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group. You must create the node group first before you register the nodes because you need to select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
•Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the standalone node (that you are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
•After registering your secondary node to the primary node, if you change the HTTPS certificate on the registered secondary node, you must obtain appropriate CA certificates that can be used to validate the secondary node's HTTPS certificate and import it to the CTL of the primary node. See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
09-11-2013 06:37 PM
Cisco strongly recommends not to change the ISE hostname or domain name once it is configured, as it’s a process to follow again to do all the activity.
Please go through the page 80 & 241 for the steps & information, the link is given below.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ug.pdf
09-17-2013 09:30 PM
Hi
Possible causes:
This scenario is most commonly caused by clock drift due to not syncing time via NTP on VMware.
This issue can also arise if the Cisco ISE FQDN changes and/or the name of the certificate imported on the client machine has changed.
Resolution:
Ensure that your Active Directory domain and Cisco ISE are aligned to the same NTP server source.
Shut down or pause your Active Directory server and try to authenticate an employee to the network.
09-23-2013 03:33 AM
Everybody thanks a lot for your reactions. in the end I did a reset-config and the issue wasn't there anymore.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide