Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1379
Views
1
Helpful
18
Replies

The operation took longer than expected.

Jason2005
Level 1
Level 1

‎04-23-2024 10:55 AM

I have just synchronized both Active Directory and Cisco ISE, ISE is using my server (AD) as an NTP server, everything is fine, but now I'm facing an issue "Status Summary: The operation took longer than expected. This may be caused by slow network connection or similar issues. Please check the connection tab status table and the AD Connector Report for details."

I could not understand the thing that is causing this issue.

Cisco ISE could resolve DNS names on server.

======> Only problem I could have and I'm not sure that it is the thing that is actually causing the issue is that my Windows Server clock is one hour forward Cisco ISE (They both have 1 hour difference in their clocks) despite that Cisco ISE is using my Windows Server as an NTP server.

=======> Please see attached image.

CiscoISE - Profiling [MAB] 

CiscoISE: Bug Search Tool におけるpatch番号の読み方 

CiscoISE policy applying on switch problem 

Preview file
36 KB
0 Helpful
18 Replies 18

marce1000
Hall of Fame
Hall of Fame

‎04-23-2024 11:19 PM

 

             - Make sure that ISE has active and correct PTR records (DNS) , for the AD nodes , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Jason2005
Level 1
Level 1
In response to marce1000

‎04-24-2024 01:02 AM

How could I check this? I do have a reversed zone, my windows server has an internal address of 192.168.50.2 and goes out to the internet with a 192.168.99.36 address, ISE have an address of 192.168.99.35, ISE does resolve names on my windows server.

On my Reversed DNS Zone, I have setted both 50.168.192.in-addr.arpa and 168.192.in-addr.arpa for global address.

Am I missing something ?

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to Jason2005

‎04-24-2024 01:28 AM

 

                            >...Am I missing something ?
  - At first glance not ,other causes may be involved ; you can for instance check PTR records  with https://www.whatsmydns.net/
 yet this may not work  for private addresses , 

 M.
 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Jason2005
Level 1
Level 1
In response to marce1000

‎04-24-2024 01:32 AM

Some guys told me to do a reboot for ISE Node in order to get it synchronized.

But I'm afraid of losing data when rebooting Cisco ISE Node.

Shall I use the command STOP APPLICATION ISE then type the command HALT in order to save configuration?

Or does making a direct REBOOT will work ?

0 Helpful

Aref Alsouqi
VIP
VIP

‎04-24-2024 01:38 AM

Hi Jason,

You mentioned that ISE and the AD have a time skew of an hour? if that is the case then this issue is most likely caused by that. If ISE has a time skew more than 5 minutes it would not be able to join the AD.

Regarding rebooting ISE, when you issue the command to reboot it, it would ask you if you want to save any unsaved configs. The  recommended steps would be "application stop ise" and then "reload". The "halt" command would be used if you want to shutdown ISE rather than reloading it.

0 Helpful

Jason2005
Level 1
Level 1
In response to Aref Alsouqi

‎04-24-2024 01:42 AM

I tried to set Windows Server clock manually (Cause I can't set it from ISE, reason is PATCH), but actually when trying to make the difference in time smaller, on the ISE GUI it shows a SKEW_ERROR.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Jason2005

‎04-24-2024 03:21 AM

You don't necessarily have to point ISE time to your domain controller, you can use any trusted public NTP server if you want. Try please to use a different NTP server on ISE, and once the time is in sync on both ISE and the AD ISE should join the AD just fine.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎04-24-2024 08:20 AM

@Jason2005 , Why are you linking to these other unrelated community articles and documents?

0 Helpful

Jason2005
Level 1
Level 1

‎04-24-2024 11:45 PM

@Aref Alsouqi Could that be ever related to Cerficate Authority ?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Jason2005

‎04-25-2024 01:56 AM

I don't think so because ISE doesn't rely on certificates to join the AD.

0 Helpful

Jason2005
Level 1
Level 1
In response to Aref Alsouqi

‎04-25-2024 03:09 AM

@Aref Alsouqi So I don't get it why he woldn't join

Please guys any solutions. 

Please I need your help.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Jason2005

‎04-25-2024 03:12 AM

If there are two endpoint one fast and other slow 

Then share the live log detail for both.

I have something in my mind and need to check

MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Jason2005

‎04-25-2024 03:50 AM

Did you fix the time skew issue between ISE and the AD? if not, that would most likely be the reason.

0 Helpful

Jason2005
Level 1
Level 1
In response to Aref Alsouqi

‎04-25-2024 07:25 AM

Cisco ise is not showing any skew error but I have a Time Out Error.

0 Helpful
Customers Also Viewed These Support Documents