Solved: Re: ISE Nodes both become Primary

DEAN WETHERALD · ‎02-11-2014

Hi,

We are deploying 2 x 3415 ISE appliances for a customer as a Primary/Secondary admin cluster. We are running Version 1.2.0.899-5-93975. Everything was going to plan with the deployment and when we manually promoted the Secondary all worked well. We then attempted some testing prior to going into production. We simulated a switch port failure which in effect isolated our Primary ISE. We then promoted our Secondary ISE and resolved the switch issue so we then had both ISE's as Primary Admins. It would be good at this point to simply 'demote' the Secondary back to Secondary but this is not an option. We tried to break the cluster by de-registering the Secondary from the Primary. We then got into a situation where we couldn't fully break the cluster and the end result is that the secondary is showing a 500-Internal error (see attached) and we are unable to browse to the GUI. I suspect I need to re-image the secondary now and re-join it back to the cluster.

Is there anything documented as to how recover a situation when both appliances become Primary? You would think this should be fairly straightforward. Also has anyone come across the 500-Internal error when attempting to Log into the appliance and if so how did you resolve. From CLI all services are running.

Any assistance/guidence would be appreciated,

Dean

cciesec2011 · ‎02-14-2014

I have the same scenario as yours: ise1 is primary Admin/MNT and ise2 is secondary Admin/MNT. ise1 ip address is 192.168.1.1/24 and ise2 is 192.168.1.2/24. They are both on the same subnet.

simulate a disaster: shutdown the switchport that ise1 is connected to.

1- manually promote ise to primary Admin/MNT. After that make a bunch of changes to ise2.

2- bring back ise1. At this point, both ise1 and ise2 are shown as Primary Admin

3- from the WebUI in ise2, highlight ise and hit the button "sync-up". That will force ise1 to become Secondary Admin

4- Once everything is sync'ed, log into the ise1 WebUI and manually promote ise1 to be Primary Admin/MNT again.

Does that make sense?

View solution in original post

Naresh Ginjupalli · ‎02-12-2014

Do you have any IP restriction enabled ? Seems like node promotion had some issue in this case.

Sent from Cisco Technical Support iPad App

DEAN WETHERALD · ‎02-13-2014

Thanks for the reply,

Both appliances are on the same subnet so have full IP connectivity with eachother. We're actually thinking that might be the issue. I'm going to re-image the secondary and form the cluster. I will re-do my testing but this time take the Primary offline as the secondary comes back up.

It might be a while until we can re-test but I'll let you know the results.

Thanks,

Dean

cciesec2011 · ‎02-14-2014

I have the same scenario as yours: ise1 is primary Admin/MNT and ise2 is secondary Admin/MNT. ise1 ip address is 192.168.1.1/24 and ise2 is 192.168.1.2/24. They are both on the same subnet.

simulate a disaster: shutdown the switchport that ise1 is connected to.

1- manually promote ise to primary Admin/MNT. After that make a bunch of changes to ise2.

2- bring back ise1. At this point, both ise1 and ise2 are shown as Primary Admin

3- from the WebUI in ise2, highlight ise and hit the button "sync-up". That will force ise1 to become Secondary Admin

4- Once everything is sync'ed, log into the ise1 WebUI and manually promote ise1 to be Primary Admin/MNT again.

Does that make sense?

DEAN WETHERALD · ‎02-18-2014

Many thanks,

Hopefully we will be able to re-do our testing in a few weeks so I'll let you know the outcome.

Dean

DEAN WETHERALD · ‎04-04-2014

Just re-tested. This worked a treat. Everything worked as scripted.

Really appreciate your input.

Thanks,

Dean

Muhammad Munir · ‎02-14-2014

Hi Dean,

As regarding to your query, Please have a look at the given link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp193986