ISE....uh.......No response from ISE node again... - Page 2

jiyoung Kim · ‎08-28-2013

What is up with No Response from ISE Node ??

Even though it sounds like the PSN node can't communicate with AD, it does authenticate and retrieving Groups, and attrbitues.

How can I fix this ?

why is it saying 'No Response from ISE Node ?

Jatin Katyal · ‎09-30-2013

Where exactly do you see the error message, when checking the AD connectivity? Please send me a screenshot showing the error.

Can you send me a screenshot from Administration > System > Deployment?

Most likely this would be a certificate issue in your case as well but we need to confirm that.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Tarik Admani · ‎09-30-2013

Team,

I ran into the same issue and found that it was related to the cert that was installed before 1.2. Basically my customer was using a SAN cert which was created by openssl. In our scenario we did not run into any issues with the cert during the upgrade, however we found that when we reset the db on one of the PSNs and then restored the cert from the 1.1.x instance of the same node, we then saw the cert error.

If you are using a cert that had SAN where one of the dns hostnames is not equal to the CN then you will have to regenerate and re-install the cert. That was what caused my issue in my upgrade and I am working with TAC to have a bug raised for this.

@Jatin - the ISE node unavailable message in the original post was the AD settings, which doesnt add up because there is no cert validate for joining AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

david_mayor · ‎09-30-2013

Hello,

In my case, I never used 1.1 and always used 1.2 since the very beginning. I don't use SAN certificates and I don't OpenCL so I don't really know what is going on.

David

rschwart · ‎10-01-2013

I get the eror attempting to join the AD. Here is the screen capture attached. Thanks for any help. Just found out my Cisco ISE rep was layed off this morning.

Tarik Admani · ‎10-01-2013

Here is one workaround and bug for the users that are having problems associating the other nodes this doesnt fix all cases where a single node deployment exists. Also you may want to see if opening a tac case could resolve this issue.

CSCud02566

Administration ISE node not able to join non-Administration ISE nodes to Active Directory

When Cisco ISE nodes are deployed in different domains or sub-domains and you attempt to join any Cisco ISE node (except another Administration ISE node) to Active Directory, the operation fails and returns a "No Response from ISE Node" error message.

To ensure the Active Directory join operation is successful, ensure that:

•The Cisco ISE nodes in your deployment are not in different domains (e.g., Administration ISE node as pap1.sj.cisco.com Policy Service node1: pdp1.hyd.cisco.com, Policy Service node2: pdp2.webex.com would cause this issue)

•The Cisco ISE node you are trying to join to Active Directory is NOT another Administration ISE node

•You are not trying to join Active Directory from the Administrator web portal on the Administration ISE node

Workaround Go to the respective Administrator web portal on the non-Administration ISE node and join that node to Active Directory, instead of trying to join using the Administrator web portal on the Administration ISE node.

Tarik Admani
*Please rate helpful posts*

blenka · ‎10-03-2013

It looks like connectivity issue or the NTP server is not synchronized.

Tarik Admani · ‎10-03-2013

Wouldn't you expect a different error, it seems if ntp is off you would see "joined but not connected..etc".

Thanks,

Tarik Admani
*Please rate helpful posts*

jaime.pedraza · ‎12-20-2013

I had this problem in my lab environment too. To solve it I did the following:

Double check clocks and timezones in servers and ISE
Re-generate the selfsigned certificate with the CN=servername.domain
Ensure that the firewall is allowing all the communications needed

My ISE version is 1.2 with patch version 2. The test AD is a Windows Server 2008 R2 with the same schema version.

To join the ISE to the domain I used an Administrator Domain user.

Hope it helps

Regards,

Jaime

Ryan Wolfe · ‎01-28-2014

Hi All,

I am currently seeing this issue on a brand new installed ISE 1.2 node. It is currently in standalone mode and presenting this error when trying to join to Active Directory. There is no firewall in the path, NTP is synchronized, and we have tested with self-assigned and enterprise issues certificates (the CA certs were also installed on the server).

I haven't installed any of the patches, yet. I was hoping to wait until the servers were joined together in deployment. I will try that and see how it turns out. But, I don't that bug as being fixed in a patch.. will update with progress.

Has anyone else seen any progress on this issue?

Thanks,

Ryan

Harold Figueroa · ‎02-04-2014

Hi, someone that found the solution please could comment us.

Best Regars

Harold Figueroa

Ryan Wolfe · ‎02-04-2014

Harold,

For my issue, it turned out to be something was corrupted in the AD components during install. The servers I was having this issue on were freshly installed. I was able to resolve the issue by reinstalling ISE.

This is most likely because I was restricted to installed to a VM via a client CD ROM over the network. There was lots of room for error in the data transmission.

Good luck,

Ryan

miklos.andrasi · ‎07-29-2014

Dear All,

After changing domain in my environment I ran into the same problem. After it I generated another valid certificate for this new FQDN I set it to be used for EAP and HTTPS.

After it the issue is resolved.

Regards,

Miki