Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE....uh.......No response from ISE node again...

1.png

What is up with No Response from ISE Node ??

Even though it sounds like the PSN node can't communicate with AD, it does authenticate and retrieving Groups, and attrbitues.

How can I fix this ?

why is it saying 'No Response from ISE Node ?

Everyone's tags (4)
26 REPLIES

ISE....uh.......No response from ISE node again...

Hi,

Is this in the Active Directory settings? If so, what are the hostnames of both nodes? ISE will continue to authenticate users based on the cache it has of AD, if you reboot the node then all authentications will fail. You may want to check and see if the computer account for ISE wasnt removed.

if this is in a lab environment you may need to check the status of the computer accounts and make sure there are still there.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE....uh.......No response from ISE node again...

I did not know the ISE makes cashes for authentcate users of AD.

also it was working fine, looked fine yesterday.

ISE....uh.......No response from ISE node again...

It will cache AD information such as user and groups. Also I would check dns settings..etc to see why the ise nodes are not connected to the AD domain.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ISE....uh.......No response from ISE node again...

the only thing I have changed is that certificate for EAP...

so I re-changed it to original one.

dns is working fine..

Plus.....when I try to retrieve AD group or attributes, it works...

New Member

Had the same issue,

Had the same issue, certificate had a typo, after adding correct certificate, problem was solved.

Cisco Employee

ISE....uh.......No response from ISE node again...

This issue can also arise if the Cisco ISE FQDN changes and/or the name of the

certificate imported on the client machine has changed.

Shut down or pause your Active Directory server and try to authenticate an user

to the network.

Ensure that your Active Directory domain and Cisco ISE are aligned to the same

NTP server source.

New Member

ISE....uh.......No response from ISE node again...

Hello,

I have the same problem. I integrated new servers in my ISE cluster and I also have this same message on three of them. On my secondary servers, the status is "CONNECTED" and if I do a test on the secondary server, it returns a Successful test, while the same from the primary on the secondary, it fails.

We don't have any FW or anything in between and all our ISE servers are pointing on the same NTP server.

Any advice ?

Many thanks,

David

New Member

Re: ISE....uh.......No response from ISE node again...

It might be the cetificate issue.

If you use wildcard mask certificate, try with SAN in your certificate.

I do not have the SAN in the wildcard mask certificate that I used for ISE.

I am going to test this on Friday.

New Member

ISE....uh.......No response from ISE node again...

Hi,

I have three servers fully ok and three others with the warning status "No Response from ISE Node".

We used for all servers the same mechanism to generate certificate. We don't use SAN, nor wildcard. We are using certificate with the CN of each ISE.

Any idea ?

David

ISE....uh.......No response from ISE node again...

Hi,

Can you guys check the communication in the deployment tab from the Admin node, lets see if the replication is still enabled.

Also what version of ISE are you on? If on 1.1.x please run the command "show logging application ise tail" that should give you a list of all the ise nodes to ip mappings. I have seen dns issues where stale or duplicate records for ise can cause issues where the admin nodes will pull the wrong dns information at time.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE....uh.......No response from ISE node again...

Hi,

Communication is fine between all ISE nodes, replications is COMPLETE for all nodes.

I am running 1.1.4.218 with Patch 4 on all servers.

I have 4 servers in my 8 servers-deployment that are in that strange AD status.

The command "show logging application ise tail" does not show bad things. The DisplayName is always equal to the HostName which is the same as the HostAlias (with the domain name). Please see below.é

Any ideas ?

David

------

Wed Sep 04 11:49:44 CEST 2013 : Poller wakeup...

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gcncsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gcncsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 9cec53f0-151f-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gcncsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gcncsl0001ise.na.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 9cec53f3-151f-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 9cec53f2-151f-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 9cec53f1-151f-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.97.32.223

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 9cec53f4-151f-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gcncsl0001ise.na.givaudan.com is not an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gcncsl0001ise.na.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gjucsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gjucsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 346a29c0-1177-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gjucsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gjucsl0001ise.ap.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 346a29c1-1177-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.32.67.223

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.254.0

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 346a29c2-1177-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 346a29c3-1177-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 346a29c4-1177-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gjucsl0001ise.ap.givaudan.com is not an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gjucsl0001ise.ap.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gmicsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gmicsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : af067300-10b4-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gmicsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gmicsl0001ise.na.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : af067304-10b4-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : af067302-10b4-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : af067301-10b4-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.96.67.223

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.252.0

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : af067303-10b4-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gmicsl0001ise.na.givaudan.com is not an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gmicsl0001ise.na.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gsrcsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gsrcsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 305e3f30-147c-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gsrcsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gsrcsl0001ise.ap.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 305e3f31-147c-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.32.128.223

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.255.0

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 305e3f32-147c-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 305e3f34-147c-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 305e3f33-147c-11e3-86da-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gsrcsl0001ise.ap.givaudan.com is not an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gsrcsl0001ise.ap.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : cf0e4260-b1a3-11e2-87c5-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0001ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0001ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : unknown

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : STANDBY

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PAP MNT

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : PRIMARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : cf0e4262-b1a3-11e2-87c5-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : cf0e4263-b1a3-11e2-87c5-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : cf0e4264-b1a3-11e2-87c5-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : cf0e4261-b1a3-11e2-87c5-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : 10.71.142.9

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : 255.255.255.0

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com is an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com has HA status STANDBY

Wed Sep 04 11:49:45 CEST 2013 : Enabling propagation...

Wed Sep 04 11:49:45 CEST 2013 : Checking node configuration...

Wed Sep 04 11:49:45 CEST 2013 : Enable MNT

Wed Sep 04 11:49:45 CEST 2013 : Enable PAP

Wed Sep 04 11:49:45 CEST 2013 : Disable PDP PROFILER SESSION

Wed Sep 04 11:49:45 CEST 2013 : Current/new node role status is PRIMARY PRIMARY

Wed Sep 04 11:49:45 CEST 2013 : HostConfig for standby MNT node exists: gvecsl0001ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0002ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0002ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 11ffc710-ee17-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0002ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0002ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : unknown

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : ACTIVE

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PAP MNT

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 11ffc712-ee17-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 11ffc713-ee17-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 11ffc711-ee17-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.71.142.10

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 11ffc714-ee17-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com is an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com has HA status ACTIVE

Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0002ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig for active MNT node exists: gvecsl0002ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0003ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0003ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : c532d1c0-0671-11e3-b3d7-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0003ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0003ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : c532d1c4-0671-11e3-b3d7-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : c532d1c3-0671-11e3-b3d7-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : c532d1c1-0671-11e3-b3d7-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.71.142.2

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : c532d1c2-0671-11e3-b3d7-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0003ise.emea.givaudan.com is not an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0003ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0004ise

Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0004ise

Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 86fe3b20-f53b-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0004ise

Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0004ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null

Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION

Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE

Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP

Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY

Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :

Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 86fe3b21-f53b-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.71.142.3

Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.255.0

Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0

Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 86fe3b24-f53b-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth3

Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 86fe3b23-f53b-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth2

Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 86fe3b22-f53b-11e2-a024-6cae8b66e764

Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null

Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null

Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth1

Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...

Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0004ise.emea.givaudan.com is not an MNT node

Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0004ise.emea.givaudan.com

Wed Sep 04 11:49:45 CEST 2013 : Node configuration has not changed - nothing updated

Wed Sep 04 11:49:45 CEST 2013 : Poller sleeping...

ISE....uh.......No response from ISE node again...

David,

Looks like you have child domains within your AD domain infrastructure. By any chance can you connect the entire AD infrastructure to the parent domain? I also assume these ISE servers are all talking to child domains within the same forest? Also do the ISE servers that are not connect have connectivity to the global catalog servers on port 3268?

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE....uh.......No response from ISE node again...

Hi,

Yes we are using child domains. But all our nodes have child domains, not only the 4 nodes with this warning messages. No, it is not possible to remove the child domain.

There are no FW at all between all our nodes so there is nothing that can prevent usage of port 3268.

I tried to deregister one of the node, to leave it from AD. Then I reset it to its default configuration, then I joined it to AD and registered it again, no more success...

I will open a Cisco TAC for that.

Best regards,

David

New Member

ISE....uh.......No response from ISE node again...

Did you get a solution to this problem. I just installed 1.2 on a NAC3315 and am having the same issue.

Thanks

Roger

Cisco Employee

ISE....uh.......No response from ISE node again...

Where exactly do you see the error message, when checking the AD connectivity? Please send me a screenshot showing the error.

Can you send me a screenshot from Administration > System > Deployment?

Most likely this would be a certificate issue in your case as well but we need to confirm that.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

Re: ISE....uh.......No response from ISE node again...

Team,

I ran into the same issue and found that it was related to the cert that was installed before 1.2. Basically my customer was using a SAN cert which was created by openssl. In our scenario we did not run into any issues with the cert during the upgrade, however we found that when we reset the db on one of the PSNs and then restored the cert from the 1.1.x instance of the same node, we then saw the cert error.

If you are using a cert that had SAN where one of the dns hostnames is not equal to the CN then you will have to regenerate and re-install the cert. That was what caused my issue in my upgrade and I am working with TAC to have a bug raised for this.

@Jatin - the ISE node unavailable message in the original post was the AD settings, which doesnt add up because there is no cert validate for joining AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE....uh.......No response from ISE node again...

Hello,

In my case, I never used 1.1 and always used 1.2 since the very beginning. I don't use SAN certificates and I don't OpenCL so I don't really know what is going on.

David

New Member

Re: ISE....uh.......No response from ISE node again...

I get the eror attempting to join the AD. Here is the screen capture attached. Thanks for any help. Just found out my Cisco ISE rep was layed off this morning.

Re: ISE....uh.......No response from ISE node again...

Here is one workaround and bug for the users that are having problems associating the other nodes this doesnt fix all cases where a single node deployment exists. Also you may want to see if opening a tac case could resolve this issue.

CSCud02566

Administration ISE node not able to join non-Administration ISE nodes to Active Directory

When Cisco ISE nodes are deployed in different domains or sub-domains  and you attempt to join any Cisco ISE node (except another  Administration ISE node) to Active Directory, the operation fails and  returns a "No Response from ISE Node" error message.

To ensure the Active Directory join operation is successful, ensure that:

The  Cisco ISE nodes in your deployment are not in different domains (e.g.,  Administration ISE node as pap1.sj.cisco.com Policy Service node1:  pdp1.hyd.cisco.com, Policy Service node2: pdp2.webex.com would cause  this issue)

The Cisco ISE node you are trying to join to Active Directory is NOT another Administration ISE node

You are not trying to join Active Directory from the Administrator web portal on the Administration ISE node

Workaround   Go  to the respective Administrator web portal on the non-Administration  ISE node and join that node to Active Directory, instead of trying to  join using the Administrator web portal on the Administration ISE node.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE....uh.......No response from ISE node again...

It looks like connectivity issue or the NTP server is not synchronized.

ISE....uh.......No response from ISE node again...

Wouldn't you expect a different error, it seems if ntp is off you would see "joined but not connected..etc".

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE....uh.......No response from ISE node again...

I had this problem in my lab environment too. To solve it I did the following:

  • Double check clocks and timezones in servers and ISE
  • Re-generate the selfsigned certificate with the CN=servername.domain
  • Ensure that the firewall is allowing all the communications needed

My ISE version is 1.2 with patch version 2. The test AD is a Windows Server 2008 R2 with the same schema version.

To join the ISE to the domain I used an Administrator Domain user.

Hope it helps

Regards,

Jaime

New Member

ISE....uh.......No response from ISE node again...

Hi All,

I am currently seeing this issue on a brand new installed ISE 1.2 node. It is currently in standalone mode and presenting this error when trying to join to Active Directory. There is no firewall in the path, NTP is synchronized, and we have tested with self-assigned and enterprise issues certificates (the CA certs were also installed on the server).

I haven't installed any of the patches, yet. I was hoping to wait until the servers were joined together in deployment. I will try that and see how it turns out. But, I don't that bug as being fixed in a patch.. will update with progress.

Has anyone else seen any progress on this issue?

Thanks,

Ryan

New Member

ISE....uh.......No response from ISE node again...

Hi, someone that found the solution please could comment us.

Best Regars

Harold Figueroa

New Member

Re: ISE....uh.......No response from ISE node again...

Harold,

For my issue, it turned out to be something was corrupted in the AD components during install. The servers I was having this issue on were freshly installed. I was able to resolve the issue by reinstalling ISE.

This is most likely because I was restricted to installed to a VM via a client CD ROM over the network. There was lots of room for error in the data transmission.

Good luck,

Ryan

New Member

Dear All, After changing

Dear All,

 

After changing domain in my environment I ran into the same problem. After it I generated another valid certificate for this new FQDN I set it to be used for EAP and HTTPS.

After it the issue is resolved.

 

Regards,

Miki

4933
Views
4
Helpful
26
Replies
CreatePlease login to create content