Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5460
Views
0
Helpful
4
Replies

ISE Issue with DNS

Go to solution
joatman82
Level 1
Level 1

ā€Ž03-14-2013 07:24 AM - edited ā€Ž03-10-2019 08:11 PM

Hello Techies,

I am facing challenge while configuring ISE to join AD. Domain Name lookup fails. DNS is working perfectly fine;

nslookup works fine on ISE for simple domain names, but on long domain  names it fails while throwing the following error;

;; Truncated, retrying in TCP mode.

;; connection timed out; no servers could be reached

Upon searching on google, may threads discuss that it a common issue with linux, when multiple IP's are returned for DNS query. Solution is to make static entries in;

/etc/resolv.conf

Not able to find it in ISE, as it does not give access to the OS. I am running it on VMware.

Looking forward to get your valuable inputs to resolve this.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

ā€Ž03-14-2013 09:23 PM

Hi,

You will need to work this with TAC for this issue, I am not aware of any bugs regarding joining AD due to a long suffix, but it would be something to work with them on. Also are there any ACLs or firewalls blocking tcp from ISE to the DNS environment?

Also check if you can resolve the ise hostname and its ip address (forward and reverse).

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

ā€Ž03-14-2013 09:23 PM

Hi,

You will need to work this with TAC for this issue, I am not aware of any bugs regarding joining AD due to a long suffix, but it would be something to work with them on. Also are there any ACLs or firewalls blocking tcp from ISE to the DNS environment?

Also check if you can resolve the ise hostname and its ip address (forward and reverse).

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
joatman82
Level 1
Level 1
In response to Tarik Admani

ā€Ž03-15-2013 02:37 AM

Thanks for your response. Port 53(TCP) was opened on firewall & voila........nslookup was able to resolve the hostname.

Now there is another challenge because of huge environment. Active Directory forest contains  more than 50+ child domain controllers. Policy is open for one particular hostname/ip. But authentication is not successful & ISE is not able to join domain. CISCO forums says that ports for all server should be open for ISE on the intermediate firewall, but it is a huge challenge for testing.

While I tried to give the FQDN of specific server(from whom ports are open on firewall), it is not getting resolved again.

Please sugeest

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7

ā€Ž03-15-2013 04:27 AM

If you add ise servers ip to a sites and services definition in ad' you can control which ad server it will try join


Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to jan.nielsen

ā€Ž03-15-2013 05:46 AM

Jan is correct,

However if your sites and services do not allow this flexibility then your best bet would be to deploy your own DNS environment, but Jan's comments are the best way because ISE is very sensitive to DNS server changes and I dont recommend this option if you are deploying this for production eventually.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents