Team,
I have a customer that has installed multiple distributed ISE deployments across the nation. Each deployment contains nodes from several different states and my customer has strong concerns with configuring reverse DNS pointer records across their nationwide infrastructure which includes many separate subnets. All total, there are 270 nodes. Configuring Reverse DNS is recommended in the in ISE admin guides but without configuring it, there does not seem to be an impact to normal RADIUS authentications, replication between nodes or joining nodes to the deployment. However, if we try to examine endpoints or devices under the context visibility menu of 2.2 patch 5, we receive the following error.
Unable to load Context Visibility page. Ensure that reverse DNS lookup is configured for all Cisco ISE nodes in your distributed deployment in the DNS server. Exception: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];
We further document the need for reverse DNS in the release notes: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html#pgfId-700468.
Additionally, I understand that elastic search needs reverse DNS configured for each host in the deployment in order to work properly but do we have any enhancements on the roadmap whereby we won't rely on reverse DNS? Are there any other solutions apart from configuring reverse DNS?
Thank you,
Thomas
