Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7254
Views
15
Helpful
7
Replies

Secondary ISE does not sync to Primary - suspecting certificate issues, but cannot renew self-signed cert on secondary due to the sync issue

deyanpanchev2
Level 1
Level 1

‎05-02-2017 05:41 AM - edited ‎03-11-2019 12:41 AM

Hello guys,

I am in a bit of a puzzle, more like Catch 22.

I have a very simple ISE 2.1 deployment, two VM servers on same host, same subnet (no firewall in between), running as Primary A/M and Secondary A/M personas on the two nodes. After recent reload of the servers the Secondary Node is having sync issues with primary, it is still processing traffic OK as we have not changed the configuration but is giving our sync issue alerts and also the Primary Node cannot manually sync, error is:

<Unable to sync node ise-corp-x-x. . Please check if the primary and this node are reachable from each other.>

Also when trying to list the certificates on the Secondary Node i get the following error:

<Error loading certificates. Node not reachable at this time. Try again later.>

I did some reading and on this same portal it is stated that problems with sync can be due to time issues/ntp, DNS or certificates. I have ruled our the first two, both ISE nodes have proper clock and ntp setup, and DNS setup is OK and works properly.

However I have noticed that the certificate on the problematic secondary node (a self-signed certificate) had expired 2 weeks ago. That is visible from within the secondary node GUI, BUT with that version of ISE i cannot re-issue it from secondary GUI nor change anything. I am supposed to reissue it from the primary node but when trying to do it the process fails as Primary cannot talk to the secondary (the sync problem, despite having all good and green under the deployment menu) and cannot even list the secondary server certificates as mentioned above. I believe that the server certificates are used in that sync communication between the two (probably to do the encryption) and when one expired that broke it (after restart), problem is i cannot reissue the certificate due the certificate being expired and having no proper communication between the devices. Cisco documentation is very general and does not cover that case and customer is just in the process of renewal of its support (takes time for them) so any advice is appreciated!


Was thinking of promoting secondary to primary and then re-issuing the certificate but that is a bit risky.

Thank you,


Regards,


Deyan

5 people had this problem
Labels:
0 Helpful
7 Replies 7

antienho
Level 1
Level 1

‎12-07-2017 09:41 AM

any update on this one? I am run into similar situation. 

Our thought is to force resync ISE02 to ISE01. which will force the ISE02 to reboot. It seems there is no better way to force the certs sync from Pri to sec ISE.

 

Antien

0 Helpful

ajc
Level 7
Level 7
In response to antienho

‎12-11-2017 10:59 AM - edited ‎12-11-2017 11:15 AM

1.-What is the error you are getting?

2.-Are the certificate still valid and located on the Trusted Certificate store of PRIMARY PAN ISE?.

3.-What is your version?

 

 

0 Helpful

Yordan Yordanov
Level 1
Level 1

‎10-03-2022 05:41 AM

Hi

Do you find solution of this issue?

br

 

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to Yordan Yordanov

‎10-03-2022 05:52 AM

Instead of resurrecting OLD topics, you should create a new topic.  This conversation is about ISE 2.1, hopefully, your version of ISE is MUCH newer.

0 Helpful

Yordan Yordanov
Level 1
Level 1
In response to Charlie Moreton

‎10-03-2022 06:20 AM

my version is 2.4 - patch 13.

this subject is exactly what my problem is

 

 

0 Helpful

ajc
Level 7
Level 7
In response to Yordan Yordanov

‎10-03-2022 06:36 AM

Post specific errors that you are getting. However, your version is going into EoL

End of support.png

hslai
Cisco Employee
Cisco Employee
In response to Yordan Yordanov

‎10-04-2022 06:33 PM

@Yordan Yordanov In such case, please de-register 2nd ISE so it becomes standalone and then you should be able to update the certificate. After that, you may re-register it back to the deployment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents