Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE in High Availability (HA) mode.. Factors to look upon

We are setting up lab where we have installed 2 ISE on VM.  We  are deploying them in HA mode. While deploying them we are facing error  after registering ISE-2 with Primary ISE-1. Even after periodic refresh  of 'Sync' tab we are getting 'out of sync' Error. 

We have checked certificate which is bound correctly as we could register ISE-2 under primary ISE-1

TIme: Time on all the devices are synched up properly and are in UTC timezone.

What are the factors that play role for HA in ISE. Which things has to look upon while resolving the error.

---Securview Support

Everyone's tags (5)
7 REPLIES

ISE in High Availability (HA) mode.. Factors to look upon

Please check if ISE-1 resolves the hostname of ISE-2 and viceversa. You should check if both hostnames are in your DNS server.

PLease rate if it helps

New Member

Re: ISE in High Availability (HA) mode.. Factors to look upon

Hi Eduardoaliaga,

Thnaks for your reply. The answer to your question is yes, they are abe to resolve the hostname of eachother. ISE 2 has registered in ISE 1, but ISE 2 is not able to sync up with ISE 1.

ISE in High Availability (HA) mode.. Factors to look upon

How long did you wait after you saw this error? Also it can take some time (up to 20 minutes) before the nodes are fully registered.

If you issue "show application status ise" on the secondary node, what services are on? Also what personas are these nodes running?

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

ISE in High Availability (HA) mode.. Factors to look upon

Based on personal experience, I would say make sure the domain-name for both VM is the same.  For example

vm1.ad.abc.com and vm2.dir.abc.com (VM1 & VM2  as hostnames and ad.abc.com & dir.abc.com as domain names) didn't sync up during my testing with ISE 1.0 last december. The secondary  VM will register  with primany but wouldn't sync-up.

Cisco Employee

ISE in High Availability (HA) mode.. Factors to look upon

Prerequisites before Registering Secondary Nodes

http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.html#wp1136385

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**

ISE in High Availability (HA) mode.. Factors to look upon

Hello,

Please cross check your configuration with the below link. I hope this might help you in this.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html#wp1128454

Silver

ISE in High Availability (HA) mode.. Factors to look upon

Hello,

I went through your query and found some pre-requisite which would help in solving your query:-

Ensure that you have a second ISE node configured with the Administration persona before you can promote it to become your primary Administration ISE node.

•Before you configure the Administration ISE nodes for high availability, we recommend that you obtain a backup of the Cisco ISE configuration from the standalone node that you are going to register as a secondary Administration ISE node.

•Every ISE administrator account is assigned one or more administrative roles. To perform the operations described in the following procedure, you must have one of the following roles assigned: Super Admin or System Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.

5022
Views
5
Helpful
7
Replies
CreatePlease login to create content