Node not able to join deployment

NetworkMonkey101 · ‎11-13-2024

I am unable to join a node to the deployment even though I am able to ping PAN to new node and vice versa? What could be stopping this?

Rob Ingram · ‎11-13-2024

@NetworkMonkey101 is DNS setup and working? Can you ping the FQDN?

Dustin Anderson · ‎11-13-2024

I would check this guide that the ports are open between the nodes for all communication.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html

ahollifield · ‎11-13-2024

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_7.html

dalbanil · ‎11-13-2024

As mentioned check the DNS, can you resolve from node a to node b with the command nslookup nodea.domain.com ? And also from node a to the node b? Finally, I'd highly recommend collecting a packet capture. Use the following documentation, it includes the ports for replication and synchronization:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html

Replication and Synchronization

HTTPS (SOAP): TCP/443
Data Synchronization/ Replication (JGroups): TCP/12001 (Global)
ISE Messaging Service: SSL: TCP/8671
ISE internal communication: TCP/15672
Profiler Endpoint Ownership Synchronization/ Replication: TCP/6379

Aref Alsouqi · ‎11-14-2024

You seem to have a firewall in between these two ISE nodes. Just make sure please that you have all the required ports opened as mentioned by the others, or you can open up all the ports between these nodes on the firewall if they are in segregated secured segments and then look at the firewall logs to narrow down the policy based on the utilised ports you see on the logs.