cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3037
Views
0
Helpful
2
Replies

ISE node registration fails

I have a problem with registering a new ISE node to an existing ISE cluster that contains 4 nodes, so I have 4 nodes and I need to add 2 more nodes to them, all nodes are running version 2.4 patch10 and the certificates are trusted, however, I get this error "Registration failed"

2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

The new nodes that are being added must be on the same version and patch level.  Then, the certificates need to be trusted both ways.  You can export the system certificates from the new nodes and import those into the existing deployment admin as a trusted certificate.  Then take the Root and Intermediate CA certificates that signed the existing deployment nodes' certificates and put those on the new nodes in the trusted certificates store.  If all of that is good and still failing, then make sure DNS entries are created for the new nodes and the existing deployment nodes.  Both forward and reverse lookup records.  You can test by doing an nslookup from the CLI of the new nodes and the existing Primary Admin.  For both the FQDN and the IP address.

JohnNewman7082
Level 1
Level 1

Theres quite a bit of information needed to help here.

Is the new PSN across a WAN from the PAN?

Is it behind a firewall from the PAN?

 

To start, you need to ensure you have the following ports open bi-directionally between your nodes:

  • HTTPS (SOAP): TCP/443

  • Data synchronization/ Replication (JGroups): TCP/12001 (Global)

  • ISE Messaging Service: SSL: TCP/8671

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

 

Ensure you are using the same NTP server and that DNS (FQDN and short name) are resolvable on both sides.

 

If youre across a WAN, be sure to check your bandwidth:

https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112

 

If all of that checks out, I would suggest to open a ticket with TAC to look into the registration logs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: