Re: ISE SAN node requires separate license or license of PAN node work

chandrandt · ‎02-10-2024

We have ISE two nodes in our deployment configured in VM

one is PAN (DC) and other SAN (DR).

Our DR node got unreachable. Both nodes are at different locations.

When checked physical found HDD issue at DR node we replaced the HDD but OS was not booting.

We reconfigure from scratch.

Configure RAID, ESXI 6.7 and configure VM and install ISE 3.0 in VM.

Now ISE application successfully installed and able to login through GUI.

but Evaluation mode is showing 89 days.

We have valid license in Primary node.

Due to restrictions we cant have internet connectivity so can generate new token and can register through CSSM.

I have heard offline activation can be done through PAK.

or any other offline option available.

I also read below details on cisco portal;

Currently secondary node is standalone and not in the network when we bring it in network and sync it with primary node.

License issue will get resolved because last time also we renew license only on primary node.

Primary Node

In a Cisco ISE deployment, only one appliance can serve as a Cisco ISE primary node. This primary node provides configuration capabilities and is the source for all replication operations.

When in a primary-secondary pair, only the primary and secondary nodes that operate as the Administration persona need to be configured in the license file. When you install the license file on the primary, the license requirements for the secondary node are met.

Secondary Node

Because the network can only have a single primary Cisco ISE node, all other Cisco ISE nodes function as secondary nodes. Although the Cisco ISE secondary nodes receive all the system configurations from the primary node, you must configure the following on each secondary node:

License—When the base license is installed on the primary, replication copies the license onto each of the Cisco ISE secondary nodes in the deployment.

Aref Alsouqi · ‎02-10-2024

When you join the secondary PAN to the deployment the licenses will sync up automatically. If that doesn’t happen you might need to remove the old instances from the smart account and ISE automatically updates the portal with the new instances details.

chandrandt · ‎02-19-2024

Hi Aref,

Thanks for your feedback.

one more issue we are facing we are not able to register our secondary node in deployment. when we are registering it on primary. its showing primary node is unreachable with FQDN of DR node.

We dont have dns server in our environment so manual entries for fqdn given on both nodes through cli.

we are able to ping both nodes from each other through IP and FQDN also cisco tac tested this without dns server and they are able to register the secondary node but we are not able to register.

Can you help us with some solution ?

Aref Alsouqi · ‎02-20-2024

You're welcome. I'd never came across this specific issue, one thing come to mind would be to remove temporarily the configured DNS servers on both ISE nodes and replace them with their own IP addresses? not sure if that would resolve the issue though. If not, why not to add ISE FQDNs to your public DNS provider creating the entries with the private IP addresses and then remove the CLI manual entries? for instance, ise1.yourdomain.com => 10.10.10.1, and ise2.yourdomain.com => 10.10.10.2. In that case ISE will still rely on the public DNS, and will get the private IP in the resolution.

hslai · ‎02-12-2024

@chandrandt Please try what Aref suggested. Or, you may re-register Smart Licensing to get it updated. These needs done whether we change the number of admin nodes or promote the 2nd admin node to primary. If a node becomes standalone, then yes, it does not its own Smart Licensing registration. The offline option is either to use a Cisco Smart Software Manager On-Prem or to use specific license reservation (SLR)

chandrandt · ‎02-19-2024

Thanks hslai

thanks for your feedback.