Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1444
Views
5
Helpful
3
Replies

Network Authentication via ISE fails with error 40095

Go to solution
ichacon00
Beginner
Beginner

‎01-20-2021 02:06 PM

Recently we had a major power outage that knocked all of our domain controllers, after power was restored and all of our servers came up we noticed that we could no longer login our network gear. ISE showed that it was no longer joined to the domain. We've rejoined it, but the issue continues.


We are getting a ton of 

LsaDmConnectDomain: failed with error 40095

 

I've searched the internet for references to this error without success. I did find a reference to a BUG, specifically addressing multiple DCs rebooting at the same time and the version we are running seems to be fit. 

 

Has anyone seen this error? if so what was done to address the issue?

Thanks

Ivan Chacon

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
VIP
VIP

‎01-21-2021 12:13 AM

Hi,

If you go to external identity sources in ISE, what is the status of your
AD servers? Also try to run a test for one of your ADs and see what errors
you get.

This error code represents LW_ERROR_RPC_NETLOGON_FAILED which is an error
authenticating with AD. So you need to investigate your DC environment.
It's highly not ISE problem.

***** please remember to rate useful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
VIP
VIP

‎01-21-2021 12:13 AM

Hi,

If you go to external identity sources in ISE, what is the status of your
AD servers? Also try to run a test for one of your ADs and see what errors
you get.

This error code represents LW_ERROR_RPC_NETLOGON_FAILED which is an error
authenticating with AD. So you need to investigate your DC environment.
It's highly not ISE problem.

***** please remember to rate useful posts
0 Helpful

Go to solution
ichacon00
Beginner
Beginner
In response to Mohammed al Baqari

‎01-21-2021 04:34 AM

Thanks for the response. After we rejoined them they both show operational, and we are able to successfully test user authentications from the External Identity test user option. I will reach out to my AD team to see if they see anything in the logs, or can schedule another reboot of the PDC.

 

What do you think about completely removing ISE from the domain, initially I picked the option to leave the domain but left the computer account?

 

Thanks again.

0 Helpful

Go to solution
Panos Bouras
Beginner
Beginner

‎01-25-2021 08:45 AM

Hi,

 

Could be that ISE is trying to reach another DC that doesn't have connectivity to? Or maybe clock is not synchronized between your ISE and AD?

Ask your AD team to confirm if ISE is on the correct AD Site, have a look on the following guide regarding ISE AD discovery.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.pdf

 

I remember that I had a case where ISE was trying to reach a specific AD DC but there was no network connectivity. We have forced ISE to use specific DC under AD Advanced Tuning.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents