(Cisco ISE distributed deployment does not work with split-domain configuration):
This fix addresses an issue users can experience while adding nodes to an existing distributed deployment. If the existing Cisco ISE nodes belong to different domains (or even different sub-domains), you may not be able to introduce new nodes to the deployment as designed. The primary cause of this failure involves Cisco ISE using the hostnames from different domains to resolve to the IP address rather than using the proper FQDN during registration.
Note If all of your Cisco ISE nodes are deployed are in same domain, you can apply this patch using the standard Administrator user interface method. If your Cisco ISE nodes are deployed in different domains, however, you must install this patch on the Cisco ISE nodes via the administrator CLI. Once the patch has been applied on the deployment, you can then apply future patches using the standard Administrator user interface method.
I have added DNS Entries in respective DNS domain so each ISE can ping the other but not the FQDN (see captures below):
Set the ISE to trust each-other’s certificates.
Below is some ping test to validate the setup:
isedns1/admin# ping isedns2 => Initially, can’t ping isedns2, as not in same domain.% Error: Error invoking ping for the provided host isedns1/admin# ping isedns1 =>testing local host just to test dns is workingPING isedns1 (10.48.39.237) 56(84) bytes of data. 64 bytes from 10.48.39.237: icmp_seq=1 ttl=64 time=0.032 ms 64 bytes from 10.48.39.237: icmp_seq=2 ttl=64 time=0.027 ms 64 bytes from 10.48.39.237: icmp_seq=3 ttl=64 time=0.041 ms 64 bytes from 10.48.39.237: icmp_seq=4 ttl=64 time=0.036 ms --- isedns1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 0.027/0.034/0.041/0.005 ms isedns1/admin# ping isedns2 % Error: Error invoking ping for the provided host isedns1/admin# ping isedns2.wlaaan2008.com => testing FQDN of remote ISEPING isedns2.wlaaan2008.com (10.48.39.238) 56(84) bytes of data. 64 bytes from 10.48.39.238: icmp_seq=1 ttl=64 time=0.320 ms 64 bytes from 10.48.39.238: icmp_seq=2 ttl=64 time=0.467 ms 64 bytes from 10.48.39.238: icmp_seq=3 ttl=64 time=0.388 ms 64 bytes from 10.48.39.238: icmp_seq=4 ttl=64 time=0.494 ms --- isedns2.wlaaan2008.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.320/0.417/0.494/0.069 ms
Wlaaan2003 Domain DNS Configuration
Wlaaan2008 Domain DNS Configuration
At this stage, although the registration is completed successfully, the node is marked as unreachable, as we can see in the below capture:
Modifying DNS Configuration to make the setup working
The problem above is due to the fact that the ISEs will create a rule in their firewall to allow the remote ISE to connect to its database.
This process ensure that only authorized devices can connect to the database. Since there's a database password, this is an additional
layer of security.
This process however makes a DNS lookup using the hostname of the ISE, and when it is in a different domain, this lookup won't succeed.
For reference, we can see the following entry in the ise-psc.log file (in operations > Download logs):
cpm.admin.infra.action.DeploymentEditAction- Ignoring exception during enableFirewalls java.net.UnknownHostException: isedns2
That's why we need to Deregister the ISE first so after the DNS is fixed, the firewall script will work.
On Wlaaan2003 DNS:
on Wlaaan2008 DNS:
So now we note that both ISEs are added into the local domain of each other. If you have a distributed deployment with more than 2 ISEs,
you need to make sure that the Admins ISE are able to lookup with every Other ISEs by hostname, and that the Other ISEs are able to
lookup the Admins ISE.
If we register the ISE again, we can see that the replication works fine.
Hi Everyone,Need support on below. 1) Can we have two syslog server configured in FMC and attach them to same rule so that any event related to that rule will be send to syslog server. 2) I get huge amount of events in event viewer and I am not ...
I have a question that I couldn't find an answer for. I currently have a site-to-site VPN setup with a remote hospital. It gives us the capability for our Doctors to be able to read images from our hospital at the remote one. We have started to see issues...
Can someone help me... I have two Cisco ASA 5506... I've already configured the Site to Site VPN connection.......The VPN connection was established like normal........... the problem is, the VPN connection always dropped, and then it will establish again...
Hello, I am trying to implement dmarc check in Ironport AsyncOS.After enabling DMARC check, Non-Delivery Report does not pass DMARC check, because nor NDR sender is (empty). All normal e-mails can pass DMARC verification. Is there any way to allow ND...
Were trying to set up Anyconnect ssl VPN to use certificate auth which is working although the user has to choose the certificate during the connection process rather than an automated process. At the moment Anyconnect prompts during the connection p...