Re: Kerberos check: sasl connectivity to AD failed

manvik · ‎02-29-2020

I have attached screenshot of the error. ISE cannot connect to AD. All was working fine until ISE got hang. After it got rebooted, ISE can't joint o AD.

Tried all methods said in forums,. TAC troubleshooted for hours, but in vain.

Can someone help in getting this resolved.

marce1000 · ‎02-29-2020

- Is there anything additional in the Windows AD-parent eventvwr concerning AD (error)-messages at the time ISE was supposed to reconnect ?

M,

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

manvik · ‎02-29-2020

need to check on that, but there's a secondary ISE server. It's working perfectly. Both ISE servers were in Active-Passive HA.

marce1000 · ‎02-29-2020

- You mean only passive-node has the problem and or it it a 'real problem' ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

manvik · ‎03-01-2020

Only the active device has issue.

marce1000 · ‎03-02-2020

- If your ISE setup is in 'dead water' as a result I would first consider patching up to the latest available in the current ISE version being used.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JanusBarinan60286 · ‎01-04-2021

@manvik have you tried patching? Is your issue already resolved? I have the same issue.

manvik · ‎01-04-2021

It was an issue with AD server. once AD server got fixed, ISE worked perfectly.

JanusBarinan60286 · ‎01-04-2021

What particular issue? Maybe there is some checking I missed, especially on the AD.

debaker · ‎01-09-2023

what was the issue? I am dead in the water with this issue and it looks to me to be AD but my guys are not looking too deep.

If you can state what the issue was, it would be helpful

JanusBarinan60286 · ‎01-09-2023

If I recall correctly it was a firewall issue. Not allowing CLDAP udp port.

Cristian Matei · ‎02-29-2020

Hi,

Before considering an ugly bug (which TAC should be aware about based on the version you're running), make sure that:

- the required ports between ISE and DNS/AD servers are opened (maybe someone did some changes)

- if the DNS server configured on ISE is not the same as your AD server, ensure that it can resolve all the FMSO roles of all DC's from your AD

Regards,

Cristian Matei.

manvik · ‎03-01-2020

Thank You,

- the required ports between ISE and DNS/AD servers are opened (maybe someone did some changes)

yes, it's opened. Both are in local LAN ntwork.

- if the DNS server configured on ISE is not the same as your AD server, ensure that it can resolve all the FMSO roles of all DC's from your AD

DNS is used as AD DNS server

Cristian Matei · ‎03-05-2020

Hi,

Try patching first, rebooting second, rejoining AD third.

Regards,

Cristian Matei.

Kerberos check: sasl connectivity to AD failed

DHCP relay agent check command

SEG: Validation Error : Certificates signature verification failed

APIC Connectivity Preferences の設定について

WLC failed to find ifIndex!

Umbrella: Virtual Appliance と AD Connector の新しい認証方式について