We are deploying 2 x 3415 ISE appliances for a customer as a Primary/Secondary admin cluster. We are running Version 22.214.171.1249-5-93975. Everything was going to plan with the deployment and when we manually promoted the Secondary all worked well. We then attempted some testing prior to going into production. We simulated a switch port failure which in effect isolated our Primary ISE. We then promoted our Secondary ISE and resolved the switch issue so we then had both ISE's as Primary Admins. It would be good at this point to simply 'demote' the Secondary back to Secondary but this is not an option. We tried to break the cluster by de-registering the Secondary from the Primary. We then got into a situation where we couldn't fully break the cluster and the end result is that the secondary is showing a 500-Internal error (see attached) and we are unable to browse to the GUI. I suspect I need to re-image the secondary now and re-join it back to the cluster.
Is there anything documented as to how recover a situation when both appliances become Primary? You would think this should be fairly straightforward. Also has anyone come across the 500-Internal error when attempting to Log into the appliance and if so how did you resolve. From CLI all services are running.
Both appliances are on the same subnet so have full IP connectivity with eachother. We're actually thinking that might be the issue. I'm going to re-image the secondary and form the cluster. I will re-do my testing but this time take the Primary offline as the secondary comes back up.
It might be a while until we can re-test but I'll let you know the results.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...