I am trying to cluster two ISE Nodes for primary and secondary.
I am not sure if the issues are related to the fact that each node has a different FQDN as in they don't have the same suffix. One is domainA.com and the other is domainB.com. I am not sure thats an issue since we have a cross forest trust. The primary is joined to the domain, the secondary is not. I have exported and imported the self signed cert from secondary and imported into primary. The sync is unsuccessful. Do I need to join the secondary to the domain joint point before registering secondary node?
Joining two ISE nodes in a cluster has nothing to do with AD membership. Let's call the primary node N1, and the secondary node N2.
When you register a node to N1, you are asked to accept N'2 public cert (admin role) and supply the admin credentials of N2. N2 is then added to the deployment after restarting automatically.
This can be done without any external identity source whatsoever. This of course assumes you don't have the relevant ports blocked between the two nodes, that you know the credentials of N2, and that if you previously joined a server with N2's FQDN to the deployment that you delete its cert from the Trust store of N1 so that it can accept the new cert with the same FQDN.
As noted in previoud comnent What I can add is to give us any specific output like what are you seeing exactly and the ad has nothing to do with their sync if they have a trusted certificate for both and both of them can resolve each other then things should be fine
I've never had to do import and export between the two manually, you simply register N2 to N1 from the "Deployment" menu, are asked to accept N2's public certificate and provide N2's FQDN and admin credentials, and pick N2's persona as you see fit.
The chapter "Register a Secondary Cisco ISE Node" in the following link explains this perfectly:
Just keep in mind that it'll take anywhere from 20 minutes until half an hour until N2 fully syncs up, and it will undergo a reset during that time. You may want to access N1 via SSH during this time and run "show logging application deployment.log tail" just to see how things are coming along.
Mind taking a screenshot of the error message for us?
You may have a certificate in your trust store with the same CN as N2's admin certificate. For example if N2's admin certificate is "CN=N2.mycompany.com" and your trust store in N1 has a different cert with the same CN, that could cause a problem. I've had this happen before when forcefully removing a secondary node without deregistering it properly, and then trying to add the node back to the deployment.
The command I supplied for deployment.log is the log I'd check out, it's the one that's relevant for any deployment operations.
1) Remove N2 and N1's Trusted certificates from each other
2) Make sure both N1 and N2 are resolveable by DNS to one another (actually ping each other's FQDN from SSH)
3) Make sure the traffic between N1 and N2 isn't blocked by a firewall or whatnot.
4) Add N2 from the deployment screen of N1. First thing you should get is a big popup asking you to accept N2's certificate, then you provide N2's admin credentials, then you pick the personas.
Take a look at the link I provided you earlier. And you should upload the screenshot of the error you receive, if any.
Adding to that, the automatic import of certificate is a feature introduced starting 2.3 or 2.4 which i'm unsure of but not in any version below that. All you need to do is add CENPINFISE01 in trusted store of the primary node and then ADD. If you are unable to join, let us know the error. If it takes say a couple of hours and then fails, I would suggest opening a TAC case as assistance in solving this since you know, that's TAC does :).
If it is taking 2 hours to tell you that the sync or registration failed, it is highly unlikely that it has anything to do with the WAN as the connectivity checks are done when you click on register after entering credentials. This ideally points to something to do with the PAN. There is a very well known issue that causes replication to fail which has to do with the CPMNS table space. CSCvc79739 is the bug ID. can you check you show tech out put and filter out lines with CPMNS and share ? I wanted you to open a TAC case for this since it requires TAC intervention anyways to fix.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
