In my Cisco ISE deployment, I have:
- 1 Primary Admin / Secondary Monitoring Server
- 1 Secondary Admin / Primary Monitoring Server
- 1 Policy Server (up and running without any issues)
- 1 Policy Server (the one that has a problem right now).
After having reimaged it from ACS 5.2 to ISE 184.108.40.206, I registered it as a Policy Service Node. This was done successfully.
The Administration -> Deployment interface on the primary admin node shows that the PSN sync is COMPLETE.
However, no authentication are done on this server and the Home page of the primary server shows a greyed icon with "no Data available".
Any idea ?
A good start would be to login to the cli and issue a "show logging application ise tail" and see if there are any errors. Next I would try issuing a test aaa authentication from one of you network devices and point it to this PSNs ip address.
I would also check the "show application status ise" and compare it to the status of the psn that does work.
*Please rate helpful posts*
The "show logging application ise tail" does not show much relevant information. There does not seem to be much errors, except things like that:
RadiusCommon,15/08/2013,13:20:32:038,WARN ,1258310544,NIL-CONTEXT,Failed to find VSAVendor with id 14179,RADIUSVSAParser.cpp:68
The 'show application status ise' shows the same status on the working PSN and the non-working PSN.
The full replication is running fine without error.
I saw that on my primary administration server, I have the status of all my deployment. And it shows the following:
- the first ISE server I added to the cluster has the "services" field to All
- the new ISE server I added to the cluster has the "services" field to "SESSION".
If I click on it, I can indeed see that the Profiler Service is not ticked, only the Session is ticked. However, when I registered my new server, I am 100% sure to have ticked the Profiler and the Session services, because I did it twice already.
However, I cannot tick it now because the option is grayed out.
May that be the issue ? How to enable that now ?
To be on the safe side, I would backup your certs on the psn, and reference your db passwords.
I would de register the node. If the node doesnt roll back to standalone mode, then reset the database.
If it works fine without resetting the db, then re-register the node
if you have to reset the db, then enter your admin and user creds, restore the cert when it comes up, and then re-register the node, and when the node comes back up then activate your probes.
*Please rate helpful posts*
I try that by also resetting the database then I registered the node. I observe the following.
When I register the node I take care to tick the box the Session service and the Profiler service. Then the services restart on my box and all sync, the server appears on my primary ISE and displays that there is only the Session service. I cannot edit it as the Profiler service is grayed out.
I don't know if that's the issue or not but this did not happen on my other PSN that I could successfully register...
Many thanks for your help,
Thanks to Cisco TAC, we could solve the issue. I had exported the configuration from ACS to ISE using the Cisco MigTool. There was 1 item that ISE could not interpret correctly, the LDAP NAC Profiler. We removed that item and rebooted all ISE nodes, and it worked perfectly on all nodes !
The Cisco bug is: CSCub92347