cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1287
Views
5
Helpful
3
Replies
ichacon00
Beginner

Network Authentication via ISE fails with error 40095

Recently we had a major power outage that knocked all of our domain controllers, after power was restored and all of our servers came up we noticed that we could no longer login our network gear. ISE showed that it was no longer joined to the domain. We've rejoined it, but the issue continues.


We are getting a ton of 

LsaDmConnectDomain: failed with error 40095

 

I've searched the internet for references to this error without success. I did find a reference to a BUG, specifically addressing multiple DCs rebooting at the same time and the version we are running seems to be fit. 

 

Has anyone seen this error? if so what was done to address the issue?

Thanks

Ivan Chacon

1 ACCEPTED SOLUTION

Accepted Solutions
Mohammed al Baqari
VIP Advisor

Hi,

If you go to external identity sources in ISE, what is the status of your
AD servers? Also try to run a test for one of your ADs and see what errors
you get.

This error code represents LW_ERROR_RPC_NETLOGON_FAILED which is an error
authenticating with AD. So you need to investigate your DC environment.
It's highly not ISE problem.

***** please remember to rate useful posts

View solution in original post

3 REPLIES 3
Mohammed al Baqari
VIP Advisor

Hi,

If you go to external identity sources in ISE, what is the status of your
AD servers? Also try to run a test for one of your ADs and see what errors
you get.

This error code represents LW_ERROR_RPC_NETLOGON_FAILED which is an error
authenticating with AD. So you need to investigate your DC environment.
It's highly not ISE problem.

***** please remember to rate useful posts

Thanks for the response. After we rejoined them they both show operational, and we are able to successfully test user authentications from the External Identity test user option. I will reach out to my AD team to see if they see anything in the logs, or can schedule another reboot of the PDC.

 

What do you think about completely removing ISE from the domain, initially I picked the option to leave the domain but left the computer account?

 

Thanks again.

Panos Bouras
Beginner

Hi,

 

Could be that ISE is trying to reach another DC that doesn't have connectivity to? Or maybe clock is not synchronized between your ISE and AD?

Ask your AD team to confirm if ISE is on the correct AD Site, have a look on the following guide regarding ISE AD discovery.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.pdf

 

I remember that I had a case where ISE was trying to reach a specific AD DC but there was no network connectivity. We have forced ISE to use specific DC under AD Advanced Tuning.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube