Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Secondary ISE does not sync to Primary - suspecting certificate issues, but cannot renew self-signed cert on secondary due to the sync issue

deyanpanchev2
Level 1
Level 1

‎05-02-2017 05:41 AM - edited ‎03-11-2019 12:41 AM

Hello guys,

I am in a bit of a puzzle, more like Catch 22.

I have a very simple ISE 2.1 deployment, two VM servers on same host, same subnet (no firewall in between), running as Primary A/M and Secondary A/M personas on the two nodes. After recent reload of the servers the Secondary Node is having sync issues with primary, it is still processing traffic OK as we have not changed the configuration but is giving our sync issue alerts and also the Primary Node cannot manually sync, error is:

<Unable to sync node ise-corp-x-x. . Please check if the primary and this node are reachable from each other.>

Also when trying to list the certificates on the Secondary Node i get the following error:

<Error loading certificates. Node not reachable at this time. Try again later.>

I did some reading and on this same portal it is stated that problems with sync can be due to time issues/ntp, DNS or certificates. I have ruled our the first two, both ISE nodes have proper clock and ntp setup, and DNS setup is OK and works properly.

However I have noticed that the certificate on the problematic secondary node (a self-signed certificate) had expired 2 weeks ago. That is visible from within the secondary node GUI, BUT with that version of ISE i cannot re-issue it from secondary GUI nor change anything. I am supposed to reissue it from the primary node but when trying to do it the process fails as Primary cannot talk to the secondary (the sync problem, despite having all good and green under the deployment menu) and cannot even list the secondary server certificates as mentioned above. I believe that the server certificates are used in that sync communication between the two (probably to do the encryption) and when one expired that broke it (after restart), problem is i cannot reissue the certificate due the certificate being expired and having no proper communication between the devices. Cisco documentation is very general and does not cover that case and customer is just in the process of renewal of its support (takes time for them) so any advice is appreciated!


Was thinking of promoting secondary to primary and then re-issuing the certificate but that is a bit risky.

Thank you,


Regards,


Deyan

5 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic