Solved: ISE Nodes out of sync

joeharb · ‎10-03-2019

We made were making some changes to our ISE deployment and then noticed that the nodes (2) were not in sync. We have tried the manual sync and we have deregistered the node and did an application reset-config but this has not worked. We are attempting to get a TAC case started but having troubles with maintenance contract provider.

I am hoping to have support tomorrow but would like any suggestions to see if I can resolve the issue.

Thanks,

Joe

joeharb · ‎10-08-2019

We were able to correct the issue by going into RSA and clearing the node secret, on the next attempt, ISE and RSA created an new shared secret.

All is good now..

Thanks,

View solution in original post

Colby LeMaire · ‎10-03-2019

Are there any firewalls in between your PAN and the secondary nodes that are out of sync? If so, check the firewall logs to see if anything is being dropped. Maybe restart the services on the PAN? And give it some time too. Depending on how far out of sync they are, it could take a while. Otherwise, work with TAC as soon as you can.

joeharb · ‎10-08-2019

After working with TAC a reboot of the primary node was performed last night and the nodes are now registered. One last issue we have is that we use RSA SecureID as a external identity source. The secondary node is still failing for TACACS/Radius as it can't look up users on in RSA. Checking the nodes I see that the secondary node doesn't have a Node Secret. I don't want to break the node that is working but how do I get the secondary node working again with RSA?

joeharb · ‎10-08-2019

We were able to correct the issue by going into RSA and clearing the node secret, on the next attempt, ISE and RSA created an new shared secret.

All is good now..

Thanks,

Colby LeMaire · ‎10-08-2019

Excellent! Glad to hear it's all working now.

paulo cobo · ‎02-15-2024

I had the issue and was not able to Sync. The RELOAD command on primary node CLI fixed it.