cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2279
Views
0
Helpful
3
Replies

ISE PSN Failover

Terry
Level 1
Level 1

Hi, we have a 2 node ISE deployment with authentication requests going to ISE1. This is configured for multiple different connection types and all works as expected. However, when I test the PSN failover by removing ISE1 from the network I have issues with wired DOT1X connections (EAP-TLS). In the logs I am seeing attempts to ISE2 but the following error:

 

5440 Endpoint abandoned EAP session and started new

 

I have tried resetting the client NIC / rebooting and removing the client from ISE but still experience the same problem.

 

When I bring ISE1 back online everything works again as it should.

 

Any help on this would be appreciated.

 

Thanks

Terry

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The most common cause would be a certificate issue. Do the PSN certificates match on both nodes? Typically we would have a single certificate with SANs for each node.

Are you using native supplicant? If so do you have "Verify the server's identity..." (certificate matching) checked in the supplicant configuration? See step 9 here:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-431024936

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

The most common cause would be a certificate issue. Do the PSN certificates match on both nodes? Typically we would have a single certificate with SANs for each node.

Are you using native supplicant? If so do you have "Verify the server's identity..." (certificate matching) checked in the supplicant configuration? See step 9 here:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-431024936

Hi Marvin
Thanks for your reply.
Each node has its own certificate issued by the CA hierarchy with its FQDN in the CN, the SAN option is not being used.
The identity certificate on both nodes have the EAP service associated and both have the correct CA root / chain installed.
I'm just double checking the Windows native supplicant, but would expect this to be ok as we don't have a problem with connections to ISE1.
I can't see a problem with the above setup, but am I missing something with regards to the SAN option?
Thanks
Terry

hslai
Cisco Employee
Cisco Employee

Check the step section of the auth details report and see how far it got. You might also need debugging on the client side. Or, restart ISE services on the second node. Please engage Cisco TAC if you need help troubleshooting it further.