Solved: ISE registering node via other interface than gi0

xbill42 · ‎04-28-2020

Hi,

Is it possible to use another interface than the default gi0 for the communication betweeb PAN and PSN ?

The registering fails with communication problems when I use the gi1 fqdn of the PSN.

Setup :

I have a PAN ans a PSN both with 2 interfaces.

gi0 is used for admin GUI on both. I want to use gi1 for the communication between PAN and PSN.

I've configured the fqdn on the gi1 interface with the "ip host command"

I'm using SAN certificate for PAN and PSN with both gi0 and gi1 fqdn.

Both fqdn are resolvable via DNS.

Best regards

Greg Gibbs · ‎04-28-2020

Yes... as per the ISE Ports Reference, all Management, Replication, and Synchronization is restricted to only the Gig0/Bond0 interface. The communication between the PAN and PSN is part of the Replication/Synchronization.

View solution in original post

xbill42 · ‎04-28-2020

Hi,

I've done some capture on gi1 interface of the PAN, I can see https trafic between PAN and PSN on gi1. I can see the server hello done.

But after that the PAN reset the connection.

The doc says : Cisco ISE management is restricted to Gigabit Ethernet 0 but does it also include communications between PAN and PSN ?

Best regards

Arne Bier · ‎04-28-2020

Hi

If you perform the commands

term len 0
show tech-support

on an ISE node, you'll see the iptables (firewall) rules that Cisco has implemented at the Linux OS level. I believe it's by design to allow only that traffic on Gig0. I don't have a node with two interfaces, but give that a try. Log the output to a file and search for "iptables"

Greg Gibbs · ‎04-28-2020

Yes... as per the ISE Ports Reference, all Management, Replication, and Synchronization is restricted to only the Gig0/Bond0 interface. The communication between the PAN and PSN is part of the Replication/Synchronization.