Solved: Re: ISE 2.6 AD Join error - Error Name: LW_ERROR_CLOCK_SKEW Error Code: 40087 -

B0b-Lesher · ‎06-10-2020

Trying to join my 2 node lab deployment to my windows 2019 AD installation and I continue to get LW_ERROR_CLOCK_SKEW Error Code: 40087. I searched the threads and seen several solutions, for instance "set clock" to manually enter the time. This is not longer valid in 2.6. Also, when I check the time, it appears that the time is the same. How do I get beyond this error?

marce1000 · ‎06-11-2020

- From that output, I don't think your ISE is time-syncing with the AD-server, because there is only an asterisk on a link-local address. Try another NTP server or check this document :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119371-technote-ise-00.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎06-11-2020

- Use an NTP server on both ISE and AD to sync time.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

B0b-Lesher · ‎06-11-2020

Initially I did and received the same error. Any other suggestions in regards to resolution or troubleshooting?

B0b-Lesher · ‎06-11-2020

How is it possible to have clock skew when I just configured both ISE nodes to use my active directory server as a time source?

iscream26mnt/admin# sh ntp
Configured NTP Servers:
192.168.118.3

synchronised to local net at stratum 11
time correct to within 1948 ms
polling server every 64 s

remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 10 l 10 64 7 0.000 0.000 0.000
192.168.118.3 .LOCL. 1 u 3 64 7 0.405 -359946 6.837

* Current time source, + Candidate , x False ticker

Warning: Output results may conflict during periods of changing synchronization.

iscream26mnt/admin#

iscream26psn/admin# sh ntp
Configured NTP Servers:
192.168.118.3

synchronised to local net at stratum 11
time correct to within 1948 ms
polling server every 64 s

remote refid st t when poll reach delay offset jitter
==============================================================================
*127.127.1.0 .LOCL. 10 l 9 64 7 0.000 0.000 0.000
192.168.118.3 .LOCL. 1 u 2 64 7 0.553 -359825 7.493

* Current time source, + Candidate , x False ticker

Warning: Output results may conflict during periods of changing synchronization.

iscream26psn/admin#

marce1000 · ‎06-11-2020

- From that output, I don't think your ISE is time-syncing with the AD-server, because there is only an asterisk on a link-local address. Try another NTP server or check this document :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119371-technote-ise-00.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

B0b-Lesher · ‎06-11-2020

I followed that manual step by step and that fixed the issue!! Thank you!!

pkjn2011@gmail.com · ‎05-17-2021

Can you share the steps