We made were making some changes to our ISE deployment and then noticed that the nodes (2) were not in sync. We have tried the manual sync and we have deregistered the node and did an application reset-config but this has not worked. We are attempting to get a TAC case started but having troubles with maintenance contract provider.
I am hoping to have support tomorrow but would like any suggestions to see if I can resolve the issue.
Are there any firewalls in between your PAN and the secondary nodes that are out of sync? If so, check the firewall logs to see if anything is being dropped. Maybe restart the services on the PAN? And give it some time too. Depending on how far out of sync they are, it could take a while. Otherwise, work with TAC as soon as you can.
After working with TAC a reboot of the primary node was performed last night and the nodes are now registered. One last issue we have is that we use RSA SecureID as a external identity source. The secondary node is still failing for TACACS/Radius as it can't look up users on in RSA. Checking the nodes I see that the secondary node doesn't have a Node Secret. I don't want to break the node that is working but how do I get the secondary node working again with RSA?