ISE on AWS returns "name resolution failed" after deployment

bmcgahan · ‎07-16-2025

I'm trying to turn up a test instance of ISE in AWS, and I'm getting this "name resolution failed" message when trying to connect to the GUI either through the IP address or the DNS name I set for the elastic IP.

Is there a step I'm missing where you need to set the DNS name via the CLI or something? I can ssh in, but there's no "setup" when it's deployed via AWS marketplace.

See show application status ise below

ise542/iseadmin#show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          13979       
Database Server                        running          77 PROCESSES
Application Server                     running          29063       
Profiler Database                      running          19912       
ISE Indexing Engine                    not running                  
AD Connector                           running          33117       
M&T Session Database                   running          25773       
M&T Log Processor                      running          29294       
Certificate Authority Service          running          32958       
EST Service                            running          56080       
SXP Engine Service                     disabled                     
TC-NAC Service                         disabled        
PassiveID WMI Service                  disabled                     
PassiveID Syslog Service               disabled                     
PassiveID API Service                  disabled                     
PassiveID Agent Service                disabled                     
PassiveID Endpoint Service             disabled                     
PassiveID SPAN Service                 disabled                     
DHCP Server (dhcpd)                    disabled                     
DNS Server (named)                     disabled                     
ISE Messaging Service                  running          16650       
ISE API Gateway Database Service       running          18927       
ISE API Gateway Service                running          24501       
ISE pxGrid Direct Service              running          45497       
Segmentation Policy Service            disabled                     
REST Auth Service                      disabled                     
SSE Connector                          disabled                     
Hermes (pxGrid Cloud Agent)            disabled                     
McTrust (Meraki Sync Service)          disabled                     
ISE Node Exporter                      running          33826       
ISE Prometheus Service                 running          36688       
ISE Grafana Service                    running          39016       
ISE MNT LogAnalytics Elasticsearch     disabled                     
ISE Logstash Service                   disabled                     
ISE Kibana Service                     disabled                     


ise542/iseadmin#

wajidhassan · ‎07-16-2025

It seems like you are encountering a DNS resolution issue when trying to access the Cisco ISE GUI via the Elastic IP or DNS name assigned to your instance in AWS. Since you're able to SSH into the instance, the problem is likely related to the network configuration or the hostname/DNS settings of your ISE deployment.

Here are a few things to check and steps to follow to resolve this issue:

1. Check DNS Resolution on the Instance
Since the ISE instance is in AWS, it should be able to resolve DNS queries via AWS's internal DNS or the DNS server you configured. Let's start by verifying the basic DNS settings on the instance itself.

SSH into your ISE instance.

Run the following commands to verify whether DNS resolution is working correctly on the instance:

bash

nslookup google.com

If this returns an IP address, DNS resolution is working fine. If it fails, you'll need to ensure that the instance has proper DNS settings.

You can also check the /etc/resolv.conf file to ensure it has valid nameserver entries. For example:

bash

cat /etc/resolv.conf

Ensure that it contains something like:

bash

nameserver 169.254.169.253 # AWS default DNS resolver

If DNS settings are incorrect or missing, you may need to configure the VPC DNS settings in AWS.

2. Ensure Proper DNS Configuration in AWS
In AWS, instances that are part of a VPC should automatically use AWS's internal DNS resolver. If you're using a custom DNS or DNS server, you may need to explicitly configure it.

Check VPC DNS Settings:
In the AWS Management Console, navigate to the VPC service.

Under Your VPCs, select the VPC where your ISE instance resides.

Make sure that the DNS Resolution and DNS Hostnames options are enabled for the VPC.

DNS Resolution: Should be enabled (default).

DNS Hostnames: Should be enabled for instances in the VPC to resolve DNS names (default in most cases).

3. Check Hostname Configuration in ISE
Next, ensure that the hostname for your Cisco ISE instance is properly set. In some cases, if the hostname isn’t set or it doesn’t match the Elastic IP/DNS name, DNS resolution will fail.

SSH into your ISE instance.

Check the hostname by running the following command:

bash

hostname

Ensure that it is set to a meaningful name (e.g., ise542 or something relevant to your deployment).

If needed, you can change the hostname temporarily:

bash

sudo hostnamectl set-hostname ise542

Alternatively, you may need to update the /etc/hostname file to reflect the correct hostname.

Check if the FQDN of your instance (DNS name + instance hostname) matches the expected URL you’re using for accessing the GUI.

4. Ensure Proper Security Group and Network ACLs
Make sure that your Security Groups and Network ACLs in AWS allow traffic on the necessary ports for accessing the ISE GUI:

TCP port 443 (HTTPS) should be open for inbound traffic to your Elastic IP.

Verify that there is no VPC firewall or Network ACL blocking traffic from your local network to the ISE instance.

5. Set the DNS Name via the CLI (Optional)
If the DNS name is part of your requirements, you might need to configure the hostname or link it to an external DNS name for easier management.

If you want to configure the DNS or fully qualify the hostname, you can run the following commands inside the ISE CLI:

Set the DNS name for ISE:

bash

ise542/iseadmin# system setup

In the System Setup wizard, you'll be prompted to configure the hostname, DNS, and NTP servers.

You may want to ensure that the ISE instance's hostname matches the DNS name assigned to your Elastic IP.

Ensure that the DNS server is set correctly (likely pointing to AWS's internal DNS or a custom DNS server you use).

6. Check /etc/hosts for DNS Configuration
Another area to check is the /etc/hosts file on the ISE instance. This file is where the system maps IP addresses to hostnames. If you manually configured your DNS or Elastic IP in AWS, you might need to add an entry here.

Open the /etc/hosts file:

bash

sudo nano /etc/hosts

Make sure it has an entry for the instance, like:

bash

127.0.0.1 localhost
10.0.0.x ise542.yourdomain.com ise542

Replace 10.0.0.x with the actual internal IP address of your ISE instance and set the correct FQDN if necessary.

7. Reboot or Restart Services
After verifying or making changes to DNS settings, hostname, or network configurations, it may help to reboot the instance to ensure all settings are applied correctly:

bash

sudo reboot

Alternatively, restart the ISE services if you don’t want to reboot the instance:

bash

ise542/iseadmin# application stop ise
ise542/iseadmin# application start ise

8. Verify Elastic IP and DNS Settings
Lastly, ensure that your Elastic IP is correctly assigned to your instance and that the DNS name you’ve assigned to it is resolvable. If you are using a custom DNS name, make sure you have configured an A record in your DNS provider's system pointing to the Elastic IP of the instance.

Summary of Next Steps:
Check DNS resolution using nslookup or /etc/resolv.conf.

Ensure your VPC DNS settings in AWS are correct (DNS Resolution and DNS Hostnames enabled).

Verify the hostname in ISE and ensure it’s correct.

Ensure the Security Group allows access to port 443.

Check if DNS settings in /etc/hosts need to be updated.

Optionally, use the ISE setup CLI to configure hostname/DNS settings.

Reboot or restart ISE after changes.