Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

New ISE PSN Does Not Do Anything

Hello,

In my Cisco ISE deployment, I have:

- 1 Primary Admin / Secondary Monitoring Server

- 1 Secondary Admin / Primary Monitoring Server

- 1 Policy Server (up and running without any issues)

- 1 Policy Server (the one that has a problem right now).

After having reimaged it from ACS 5.2 to ISE 1.1.4.218, I registered it as a Policy Service Node. This was done successfully.

The Administration -> Deployment interface on the primary admin node shows that the PSN sync is COMPLETE.

However, no authentication are done on this server and the Home page of the primary server shows a greyed icon with "no Data available".

Any idea ?

Many thanks,

David

Everyone's tags (1)
7 REPLIES

New ISE PSN Does Not Do Anything

David,

A good start would be to login to the cli and issue a "show logging application ise tail" and see if there are any errors. Next I would try issuing a test aaa authentication from one of you network devices and point it to this PSNs ip address.

I would also check the "show application status ise" and compare it to the status of the psn that does work.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

New ISE PSN Does Not Do Anything

hi,

The "show logging application ise tail" does not show much relevant information. There does not seem to be much errors, except things like that:

RadiusCommon,15/08/2013,13:20:32:038,WARN ,1258310544,NIL-CONTEXT,Failed to find VSAVendor with id 14179,RADIUSVSAParser.cpp:68

The 'show application status ise' shows the same status on the working PSN and the non-working PSN.

Best regards,

David

New ISE PSN Does Not Do Anything

See if you can force a full replication and issue the show logging command on both the primary and the PSN and see if there are any errors.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

New ISE PSN Does Not Do Anything

Hi,

The full replication is running fine without error.

I saw that on my primary administration server, I have the status of all my deployment. And it shows the following:

- the first ISE server I added to the cluster has the "services" field to All

- the new ISE server I added to the cluster has the "services" field to "SESSION".

If I click on it, I can indeed see that the Profiler Service is not ticked, only the Session is ticked. However, when I registered my new server, I am 100% sure to have ticked the Profiler and the Session services, because I did it twice already.

However, I cannot tick it now because the option is grayed out.

May that be the issue ? How to enable that now ?

Many thanks,

David

New ISE PSN Does Not Do Anything

To be on the safe side, I would backup your certs on the psn, and reference your db passwords.

I would de register the node. If the node doesnt roll back to standalone mode, then reset the database.

If it works fine without resetting the db, then re-register the node

if you have to reset the db, then enter your admin and user creds, restore the cert when it comes up, and then re-register the node, and when the node comes back up then activate your probes.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

New ISE PSN Does Not Do Anything

Hi,

I try that by also resetting the database then I registered the node. I observe the following.

When I register the node I take care to tick the box the Session service and the Profiler service. Then the services restart on my box and all sync, the server appears on my primary ISE and displays that there is only the Session service. I cannot edit it as the Profiler service is grayed out.

I don't know if that's the issue or not but this did not happen on my other PSN that I could successfully register...

Many thanks for your help,

David

New Member

New ISE PSN Does Not Do Anything

Hi,

Thanks to Cisco TAC, we could solve the issue. I had exported the configuration from ACS to ISE using the Cisco MigTool. There was 1 item that ISE could not interpret correctly, the LDAP NAC Profiler. We removed that item and rebooted all ISE nodes, and it worked perfectly on all nodes !

The Cisco bug is: CSCub92347

David

594
Views
0
Helpful
7
Replies