Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2468
Views
0
Helpful
21
Replies

ISE primary, secondary questions

Go to solution
Steven Williams
Level 4
Level 4

‎11-06-2018 10:18 AM

I am trying to cluster two ISE Nodes for primary and secondary.

 

I am not sure if the issues are related to the fact that each node has a different FQDN as in they don't have the same suffix. One is domainA.com and the other is domainB.com. I am not sure thats an issue since we have a cross forest trust. The primary is joined to the domain, the secondary is not. I have exported and imported the self signed cert from secondary and imported into primary. The sync is unsuccessful. Do I need to join the secondary to the domain joint point before registering secondary node?

0 Helpful
21 Replies 21

Go to solution
ognyan.totev
Level 5
Level 5

‎11-06-2018 09:28 PM

Hi ,in old version of ISe like 2.1,2,2 you must import certificates manually or use wild card cerrtificate .In my deployment i use wiledcard certificate to all nodes and if i add new node to cluster i just add certificate to it

0 Helpful

Go to solution
ramkchel
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎11-07-2018 06:06 AM

Could you please check the logs for deployment.log and replication.log from Operations>Troubleshoot>Download Logs>Debug logs of primary ISE UI.

 

This could help in checking what might have gone wrong.

 

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to ramkchel

‎11-14-2018 08:25 AM

Engaging TAC and it was an issue with my ISE version and the bringing it up to the latest Patch 10 fixed the issue. 

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Steven Williams

‎11-14-2018 10:03 AM

Also some more info for anyone who wants to move from 2.2 to 2.3 or higher. This was the recommendation by TAC engineer. 

 

 

As of now, the recommended ISE version for non DNA-C integrations is actually 2.2 latest patch. If you do have DNA-C, the recommended would then be 2.3 latest patch. And we are not recommending to upgrade to ISE 2.4 yet unless you have a major reason to do so like some sort high impact bug that is only fixed on 2.4 or something like that.

 

If you do not really need to upgrade to 2.3, staying in 2.2 latest patch will be the recommendation.

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Steven Williams

‎11-14-2018 10:07 AM

Correct

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Jason Kunst

‎11-14-2018 10:08 AM

That is really good info to know. The one thing I do want to move to ISE 2.3 is the ability to give users read-only access to certain areas of the application. I don't think this is available in the 2.2 version. 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Steven Williams

‎11-14-2018 10:11 AM

Also correct. Feel free to move to 2.3 if you’re needing that or you can wait until 2.4 is blessed as our official long term recommended release

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html
0 Helpful
Customers Also Viewed These Support Documents