cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

432
Views
0
Helpful
8
Replies
Highlighted
Beginner

Kerberos check: sasl connectivity to AD failed

I have attached screenshot of the error. ISE  cannot connect to AD. All was working fine until ISE got hang. After it got rebooted, ISE can't joint o AD.

Tried all methods said in forums,. TAC troubleshooted for hours, but in vain.

 

Can someone help in getting this resolved.

Everyone's tags (5)
8 REPLIES 8
Highlighted
VIP Engager

Re: Kerberos check: sasl connectivity to AD failed

 

 - Is there anything additional in the Windows AD-parent eventvwr concerning AD (error)-messages at the time ISE was supposed to reconnect ?

 M,

Highlighted
Beginner

Re: Kerberos check: sasl connectivity to AD failed

need to check on that, but there's a secondary ISE server. It's working perfectly. Both ISE servers were in Active-Passive HA.

Highlighted
VIP Engager

Re: Kerberos check: sasl connectivity to AD failed

 

 - You mean only passive-node has the problem and or it it a 'real problem' ?

    M.

Highlighted
Beginner

Re: Kerberos check: sasl connectivity to AD failed

Only the active device has issue.

Highlighted
VIP Engager

Re: Kerberos check: sasl connectivity to AD failed

 

 - If  your ISE setup is in 'dead water' as a result I would first consider patching up to the latest available in the current ISE version being used.

 M.

Highlighted
Collaborator

Re: Kerberos check: sasl connectivity to AD failed

Hi,

 

    Before considering an ugly bug (which TAC should be aware about based on the version you're running), make sure that:

              - the required ports between ISE and DNS/AD servers are opened (maybe someone did some changes)

              - if the DNS server configured on ISE is not the same as your AD server, ensure that it can resolve all the FMSO roles of all DC's from your AD

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: Kerberos check: sasl connectivity to AD failed

Thank You,

- the required ports between ISE and DNS/AD servers are opened (maybe someone did some changes)

yes, it's opened. Both are in local LAN ntwork.

- if the DNS server configured on ISE is not the same as your AD server, ensure that it can resolve all the FMSO roles of all DC's from your AD

DNS is used as AD DNS server

Highlighted
Collaborator

Re: Kerberos check: sasl connectivity to AD failed

Hi,

    

     Try patching first, rebooting second, rejoining AD third.

 

Regards,

Cristian Matei.