Showing results for 
Search instead for 
Did you mean: 

ISE Secondary Server authentication issue

Level 1
Level 1

I have two ISE servers both running version  One is a primary located in our data center while the other is a secondary located at a remote site.  Secondary acts as the primary auth server for the remote site.  Both have been working fine, had one issue where I would got alerts about contacting the DC but a reboot fixed the issue.  Today I had an issue that started with the following alerts in order:


NTP Sync Failure\Joined domain is unavailable\AD forest unavailable\AD not  joined\AD: Machine TGT refresh failed


I tried restarting the services which didn't work so I rebooted the server.  Everything seemed to be working fine as all the alerts stopped and the status was "operational" as an identity source.  Well the alerts stopped but the server is no longer authenticating devices. All devices from the remote site are failing over to the primary.  Checked the time on the server, removed the server from the domain and add it back but it still will not authenticate any users.  Our primary is authenticating the failed devices but I would like to get the secondary working it’s located at a remote site and the authentication is now being done across a WAN.


All of the dropped authentications show  "Failure Reason 11007 could not locate Network Device or AAA Client."


Any ideas as to where to look next?






4 Replies 4

Hello @quentincorbett

Wondering if you gave the logs some check. Logs looks pretty much auto explained ""NTP Sync Failure\Joined domain is unavailable\AD forest unavailable\AD not  joined\AD: Machine TGT refresh failed""

ISE is pretty sensitive to NTP. And if this is not properly communicating with AD we can't expect good things.


-If I helped you somehow, please, rate it as useful.-


I've experienced the same issue. These two new bugs might be related. 


CSCvg19243: ISE is sensitive to high values of "Root Dispersion" for NTP server

CSCvg19246: ISE unable to make persistent changes to ntp.conf


The workaround is to change ntp.conf file : tos maxdist 16. But if the appliance is reloaded the issue will re-occur. Only TAC can do the workaround  by installing root patch.

Thanks, I will open a TAC case to see if they can resolve the issue.

Thanks for your response but all the errors cleared after a reboot and the ISE server is communicating with the DC but for some reason it is no longer authenticating.