07-20-2017 03:00 PM
Hi folks,
Just found something strange. we have distributed deployment: PAN and secondary PAN, and some PSNs.
we disabled internal CA service from PAN's GUI, but we noticed only 2nd PAN still has CA and EST running, the others all disabled.
Is this normal?
The version is 2.1 P3.
1stPAN/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 4833
Database Server running 115 PROCESSES
Application Server running 30994
Profiler Database running 7715
ISE Indexing Engine running 31714
AD Connector running 14034
M&T Session Database disabled
M&T Log Collector disabled
M&T Log Processor disabled
Certificate Authority Service disabled
EST Service disabled
SXP Engine Service disabled
TC-NAC Docker Service disabled
TC-NAC MongoDB Container disabled
TC-NAC RabbitMQ Container disabled
TC-NAC Core Engine Container disabled
VA Database disabled
VA Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
2ndpan/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 4773
Database Server running 122 PROCESSES
Application Server running 25942
Profiler Database running 21488
ISE Indexing Engine running 26438
AD Connector running 13464
M&T Session Database disabled
M&T Log Collector disabled
M&T Log Processor disabled
Certificate Authority Service running 31031
EST Service running 853
SXP Engine Service disabled
TC-NAC Docker Service disabled
TC-NAC MongoDB Container disabled
TC-NAC RabbitMQ Container disabled
TC-NAC Core Engine Container disabled
VA Database disabled
VA Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
Solved! Go to Solution.
07-20-2017 08:23 PM
i just did a search for bug list :
ISE CA service listed as running via CLI even though disabled in GUI
CSCvd02841
it seems start from v2.0
07-20-2017 06:42 PM
NIce one. I have the same on my ISE 2.2 patch 1. Doesn't seem right.
07-20-2017 08:19 PM
we are at 2.1 P3...
it looks like strange. when the 2nd PAN boot up, we can see everything is correct. But once Application server is running, CA service and EST are running too ....
07-20-2017 08:23 PM
i just did a search for bug list :
ISE CA service listed as running via CLI even though disabled in GUI
CSCvd02841
it seems start from v2.0
07-20-2017 08:44 PM
You are correct and it has not been addressed in any release yet.
07-24-2017 07:33 AM
Hi there,
Glad to see this issue was reported. I noticed a while back and it was on my list of items to follow up on. I saw after it I had upgraded from ISE 1.3 to ISE 2.0 patch 3. I'm currently on ISE 2.0 patch 5 and the issue still present.
What I did see was that when you do a failover to the secondary PAN that the CA service stop on secondary PAN (and all other services start correctly). But the CA services end up starting on the Primary PAN when it becomes the backup node.
Regards,
Sean
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide