Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6928
Views
5
Helpful
12
Replies

Synchronization failed after ISE register

Go to solution
Rps-Cheers
VIP
VIP

‎09-12-2018 07:46 PM

Hi ISE Expert:

Now,I am deploying two ISE in HA mode,I have set one ISE as the primary,and another ISE as the standalone.
I have config the same DNS server and NTP server on these ISE,the software version is also same.
ISE version:2.3.0.298

When i hit the "Register" button to registing a standalone ISE,it seems normal,and i can see the Secondary role on Secondary ISE.Then,i check the "Administration>Deployment" ,the Secondary ISE always in progress status,and after about 4 hours,it will failed,and have these info:
"Sync Node Registration or Sync failed.Please deregister and register the Status:node again"

I have tried to exchange two ISE role,also have rebooted two ISE several times.But,they're not helpful.

two ISEs connect to a Cisco switch,and i can display two ISEs by "show cdp nei".
So,i don't know that's why.Could you help me to analysis it?
Thanks a lot!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
1 person had this problem
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-12-2018 08:38 PM

Make sure both of the ISE nodes can talk to each other using DNS names. Make sure to use FQDN for DNS name and both forward and reverse DNS lookup works.

Here is an admin guide that talks about multinode deployment.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.pdf

 

-Krishnan

View solution in original post

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-12-2018 08:39 PM

Hi
Do you have the forward and reverse dns entry for both of them in your dns server? Timezone is correct?
On the second one, have you tried reconfiguring it using application reconfigure cli command over ssh and then try again?

Can you share the ADE.log please? On both ise, over ssh, you can run the show logging system command to view this file.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
12 Replies 12

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-12-2018 08:38 PM

Make sure both of the ISE nodes can talk to each other using DNS names. Make sure to use FQDN for DNS name and both forward and reverse DNS lookup works.

Here is an admin guide that talks about multinode deployment.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.pdf

 

-Krishnan

0 Helpful

Go to solution
Rps-Cheers
VIP
VIP
In response to kthiruve

‎09-12-2018 09:14 PM

hi kthiruve

thanks for your reply,i can ping each other ,including by ip address and dns address of two ise.whether i have to do a forward and reverse lookup on dns server?

BR
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-12-2018 08:39 PM

Hi
Do you have the forward and reverse dns entry for both of them in your dns server? Timezone is correct?
On the second one, have you tried reconfiguring it using application reconfigure cli command over ssh and then try again?

Can you share the ADE.log please? On both ise, over ssh, you can run the show logging system command to view this file.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Rps-Cheers
VIP
VIP
In response to Francesco Molino

‎09-12-2018 09:16 PM

Hi Francesco:

i will collect the info,and do i need do the forward and reverse dns lookup on dns server?but the timezone what i should set?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

Go to solution
Rps-Cheers
VIP
VIP
In response to Jason Kunst

‎09-12-2018 10:07 PM

Hi Jason;

Whether i should config the reverse dns lookup on DNS server for two ISE device?
Is ther any config example?

Thanks a lot!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

Go to solution
Rps-Cheers
VIP
VIP

‎09-12-2018 11:43 PM

Hello Everyone,

After i config reverse dns lookup on DNS Server,and retry to register,the Secondary will work well,and display "connected" status.thank you very much.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Rps-Cheers

‎09-13-2018 09:16 PM

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Brian McPhillips
Level 1
Level 1
In response to Francesco Molino

‎04-03-2019 02:58 AM

I'm having a similar issue with secondary ISE node. It was registered for some time but has recently lost sync to the primary. I have check NTP, DNS, Reverse DNS and Certificates. i have also tried to reboot, de register/register, reset the m&t database, reset the ise config. All with the same result of no sync after 3 hours. Are there any other options apart from TAC at this stage?

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Brian McPhillips

‎04-03-2019 04:26 AM

Sync works, and then fails after roughly three hours each time? And this is reproducible after rebooting the nodes? 

 

If so, any chance you have a firewall/proxy in the way that is aging out the TCP sessions?

 

0 Helpful

Go to solution
Brian McPhillips
Level 1
Level 1
In response to Nadav

‎04-03-2019 05:23 AM

Hi Nadav,

 

No there is no sync. I try to do a manual sync, the process starts and after 3 hours the error message will state Registration or sync has failed. Previously it had stated sync to the PAP had failed, since I have done a deregistration is stating the first error now. There are no firewalls in between.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Brian McPhillips

‎04-03-2019 06:12 AM

If that's the case then the advice and linked documentation provided in this thread should cover the requirements for registering a node.

 

Regarding certificates... since you have reinstalled the node then it may have a new certificate (unless you specifically demanded that it keep the old certificate during application reset).

 

Whilst you did say that you checked certificates, I'd check that under the PAN the old certificates for the same CN don't appear under "Trusted Certificates". If they do, delete the trusted certificates before trying to register the node. Assuming DNS records + FQDN provided in registration + NTP + no older certificates in trust store, the registration should be fine.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents