Saving a second node - ISE 1.2
Hi guys,.
I am trying to record a second knot on my head node of ISE. But, I get the following error:
|
Impossible to authenticate ISE xxxx... Please check the server and the configuration of the CA certificate and try again.
|
I did import/export certificates in two ISEs.
They can ping by IP address and domain COMPLETE each other.
Zone are the same, but I did still not active NTP. (I thing that may be the problem, although they have the same time)
I did the import/export tab "local certificates". I have not used "Certificate Signing Request".
Anyone know if something has changed in ISE 1.2 and now local certificates no longer works?
I also have can´t add my ISE to RFA, but this is another fight.
Any advice will be appreciated!
Good job on finding a solution to your problem and for taking the time to share with everyone! (+ 5 from me) :)
For your first step: I really don't know why you had to perform this step. The name of user and password that you created during the initial installation (from CLI) should have worked to enter the secondary node.
For your second step: you're right, the FULL domain name must match or the cert will fail.
If your problem is resolved please mark it as "answered" :)
Tags: Cisco Security
Similar Questions
-
Hi all
I want to have the idea, how do I set timer in case the two nodes ISE becomes inaccessible so that authenticated clients who are already authenticated must be authenticated until the specified time period. Is it a configurable option?
These commands are relevant to above requirement.
dead-criteria 5 tent 2 times RADIUS server
adius-Server deadtime 10
Thank you
This command sets the reauthetication timer during the session-timeout is transmitted from the user's session.
I'd like to understand your business for your scenario needs? Looking to extend a reauthentication timer if all servers in radous are dead. If so the command now will allow a customer on a VLAN, if the servers are dead... thay order is...
Action of death event authentication server allow vlan xx
The following command will authenticate again the port when the radius server is still alive.
Living the authentication event server reinitialize.Sent by Cisco Support technique Android app
-
ASM disk added without scan on the second node
Hi all
Oracle Version: 11.2.0.3
I need a help for a problem with the addition of ASM disks.
It is a node two CARS and a disk group was filled.
A drive was available as UNUSED001 and so we renamed it ran scan disk and disk added to the diskgroup on node1.
But, as we have not run scan disk on the second node, the name is still the poster as UNUSED001 and assigned to diskgroup showing as a MEMBER.
In addition, the renamed disk shows as a MEMBER but not attributed with any diskgroup.
Usually, when this heppens we have to restart the node to solve the problem, but would like to get idea if this can be fixed without bouncing nodes.
I restarted node and that fixed the issue.
Closing this thread.
Thank you guys.
-
Grid Infra configuration failed when running root.sh on the second node
Hello world.
I am new guy on RAC environment. When you try to install Oracle RAC on the local environment, I had this problem:
-J' have run root.sh successfully on a local first node
-After that, the first node, there are 3 cards of virtual network created to SCAN listening addresses
-After the success of action on the first node, I tried to run this script on the second node, but the error occurred:
CRS-2676: Start of 'ora.DATA.dg' on 'dbnode2' succeeded PRCR-1079 : Failed to start resource ora.scan1.vip CRS-5017: The resource action "ora.scan1.vip start" encountered the following error: CRS-5005: IP Address: 192.168.50.124 is already in use in the network . For details refer to "(:CLSN00107:)" in "/u01/app/11.2.0/grid/log/dbnode2/agent/crsd/orarootagent_root/orarootagent_root.log". CRS-2674: Start of 'ora.scan1.vip' on 'dbnode2' failed CRS-2632: There are no more servers to try to place resource 'ora.scan1.vip' on that would satisfy its placement policy PRCR-1079 : Failed to start resource ora.scan2.vip CRS-5017: The resource action "ora.scan2.vip start" encountered the following error: CRS-5005: IP Address: 192.168.50.122 is already in use in the network . For details refer to "(:CLSN00107:)" in "/u01/app/11.2.0/grid/log/dbnode2/agent/crsd/orarootagent_root/orarootagent_root.log". CRS-2674: Start of 'ora.scan2.vip' on 'dbnode2' failed CRS-2632: There are no more servers to try to place resource 'ora.scan2.vip' on that would satisfy its placement policy PRCR-1079 : Failed to start resource ora.scan3.vip CRS-5017: The resource action "ora.scan3.vip start" encountered the following error: CRS-5005: IP Address: 192.168.50.123 is already in use in the network . For details refer to "(:CLSN00107:)" in "/u01/app/11.2.0/grid/log/dbnode2/agent/crsd/orarootagent_root/orarootagent_root.log". CRS-2674: Start of 'ora.scan3.vip' on 'dbnode2' failed CRS-2632: There are no more servers to try to place resource 'ora.scan3.vip' on that would satisfy its placement policy start scan ... failed FirstNode configuration failed at /u01/app/11.2.0/grid/crs/install/crsconfig_lib.pm line 9379. /u01/app/11.2.0/grid/perl/bin/perl -I/u01/app/11.2.0/grid/perl/lib -I/u01/app/11.2.0/grid/crs/install /u01/app/11.2.0/grid/crs/install/rootcrs.pl execution failed
I tried again with several times (with left-hand) but the problem was still there. Can you explain to me?
-Why, after running root.sh on the first node, all IP SCANNER interfaces was created on this node? This is the reason why root.sh fails on the second node.
-How to solve?
I use the server for address scan local DNS resolves to 3 IPs, and I can run script runcluvfy.sh with success on both nodes.
I thank in advance
PS:
I use two virtual machines in vmware. After running root.sh on the first node, I checked and found this funny information:
[oracle@dbnode1 sshsetup] $ / sbin/ifconfig
eth0 Link encap HWaddr 00: 0C: 29:BC:43:1 B
INET addr:192.168.50.66 Bcast:192.168.50.255 mask: 255.255.255.0
ADR inet6: fe80::20c:29ff:febc:431 b / 64 Scope: link
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
Dropped packets: 249814 RX errors: 0:0 overruns: 0 frame: 0
Dropped packets: 2956882 TX errors: 0:0 overruns: 0 carrier: 0
collisions: 0 txqueuelen:1000
RX bytes: 24913472 (23.7 MiB) TX bytes: 4369984705 (4.0 GiB)
eth0: 1 link encap HWaddr 00: 0C: 29:BC:43:1 B
INET addr:192.168.50.120 Bcast:192.168.50.255 mask: 255.255.255.0
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
eth0:2 Link encap HWaddr 00: 0C: 29:BC:43:1 B
INET addr:192.168.50.122 Bcast:192.168.50.255 mask: 255.255.255.0
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
eth0:3 Link encap HWaddr 00: 0C: 29:BC:43:1 B
INET addr:192.168.50.123 Bcast:192.168.50.255 mask: 255.255.255.0
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
eth0:4 Link encap HWaddr 00: 0C: 29:BC:43:1 B
INET addr:192.168.50.124 Bcast:192.168.50.255 mask: 255.255.255.0
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
eth1 Link encap HWaddr 00: 0C: 29:BC:43:25
INET addr:192.168.29.10 Bcast:192.168.29.255 mask: 255.255.255.0
ADR inet6: fe80::20c:29ff:febc:4325 / 64 Scope: link
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
Fall of RX packets: 471 errors: 0:0 overruns: 0 frame: 0
Dropped packets: 664 TX errors: 0:0 overruns: 0 carrier: 0
collisions: 0 txqueuelen:1000
RX bytes: 82216 (80.2 KiB) TX bytes: 107920 (105.3 KiB)
eth1:1 Link encap HWaddr 00: 0C: 29:BC:43:25
INET addr:169.254.75.201 Bcast:169.254.255.255 mask: 255.255.0.0
RUNNING BROADCAST MULTICAST MTU:1500 metric: 1
Lo encap:Local Loopback link
INET addr:127.0.0.1 mask: 255.0.0.0
ADR inet6:: 1/128 Scope: host
RACE of LOOPING 16436 Metric: 1
Fall of RX packets: 10626 errors: 0:0 overruns: 0 frame: 0
Dropped packets: 10626 TX errors: 0:0 overruns: 0 carrier: 0
collisions: 0 txqueuelen:0
RX bytes: 7942626 (7.5 MiB) TX bytes: 7942626 (7.5 MiB)
I think it's because of the failure on node 2
UPDATE:
That thing is normal, I ignored it and the installation can continue normally. Thank you all for your help.
-
Addition of RDM to the second node (W2K3) MCSC Machine virtual nodes on the physical host computers
Unable to find another thread on this
When you add RAW disks to the second node in Virtual Machines across physical hosts in the Cluster / Cluster across boxes,.
VMware said shared point of the storage drives in the same location as the first node sharing storage disc *.
-Select use an existing virtual drive...
-In the drive path, navigate to the location of the disk (quorum) specified for the first node
-Select the same virtual device node you chose for the first virtual machine shared storage disks, IE SCSI (1:0)...
In other words to add the RDM to mscs-node2, navigate to/vmfs/volumes/lun1/mscs-node1 / mscs - node1_2.vmdk (mscs-node1_2 - rdmp.vmdk)
For years we have directly added the ROW the second node specifying RDM disk not existing does not, in general we do directly from the host, not the vCenter, it seems to work fine.
For what is the safest way, the official method can cause all sorts of problems if you need to cancel the registration of the ROW on the first node (here's where I found no official documentation).
Delete you or keep the file descriptor? We tried to keep him, but ended up with several mappings to la.vmdk/rdmp.vmdk, so now, this system has disk2_.vmdk / disk2_ - rdmp.vmdk and disk4_.vmdk / disk4_ - rdmp.vmdk pointing to the same RAW.
What really bothers me is safety, these are very important boxes, I prefer to continue to have the VMDK and rdmp.vmdk in separate data warehouses, and do not have this dependence on the head node
Your comments please, we are viewing the store only setup of MSCS clusters with lanes separated from RDM and are there risks associated with this?
* Ref: "Setup for Microsoft Cluster Service - 4.1 and Failover Clustering".
I realize there was an error in my logic
When you work with the main node, if there is a requirement to unmap drives ROUGH (move to another cluster vmware, cloning the system etc.)
Take note of the location of all the rdmp.vmdks
Remove each rdm disk without deleting
To add
Add "Use an existing virtual disk to disk" (yes I know its bad, but once you create the host calling now think its virtual)
Navigate to the mapping of existing raw device, appearing like a vmdk * and add using the former location of scsi
Graphic interface hides the descriptor
A virtual disk has a vmdk and a flat.vmdk
A CRUDE disk has a vmdk and a rdmp.vmdk (the dish is replaced by vocation)
A suggestion of one of my companions is to locate the al the ROW in a single data store small, visibility of virtual machines with raw disk went like this
-
root.sh defect on the second node with ' ora.asm - init ' failed
The completing the two roots of scripts on the first end, but on the second node node, I get:
[root@alvis oracle] # /home/oracle/app/11.2.0/grid/root.sh
Run the script root.sh from Oracle 11 g...
The following environment variables are defined as:
ORACLE_OWNER = oracle
ORACLE_HOME = /home/oracle/app/11.2.0/grid
Enter the full path of the local bin directory: [usr/local/bin]:
The 'dbhome' file already exists in the usr. Overwrite it? (y/n)
[n]: y
Copying dbhome to usr...
The 'oraenv' file already exists in the usr. Overwrite it? (y/n)
[n]: y
Copying oraenv to usr...
The 'coraenv' file already exists in the usr. Overwrite it? (y/n)
[n]: y
Copying coraenv to usr...
Entries will be added to the/etc/oratab file according to the needs of
Assistant configuration database when a database is created
Finished to turn the generic part of the root.sh script.
Now root product-specific actions will be performed.
2012-05-11 11:19:58: the analysis of the host name
2012-05-11 11:19:58: verification of superuser privileges
2012-05-11 11:19:58: user has superuser privileges
The file of configuration settings using: /home/oracle/app/11.2.0/grid/crs/install/crsconfig_params
ADD LOCAL MODE
Creating OCR keys for the user "root", "root"... privgrp
Successful operation.
Adding to inittab demon
CRS-4123: Oracle high availability Services started.
starts ohasd
ADVM/ACFS is not supported on oraclelinux-release-6Server - 2.0.2.i686
CRS-4402: the CSS daemon has been started in mode exclusive, but found an active CSS daemon on the node betoracle, number 1 and ends
An active cluster was found at the exclusive start, start to join the cluster
CRS-2672: attempt to start 'ora.mdnsd' on 'alvis '.
CRS-2676: beginning of 'ora.mdnsd', the 'alvis' successful
CRS-2672: attempt to start 'ora.gipcd' on 'alvis '.
CRS-2676: beginning of 'ora.gipcd', the 'alvis' successful
CRS-2672: attempt to start 'ora.gpnpd' on 'alvis '.
CRS-2676: beginning of 'ora.gpnpd', the 'alvis' successful
CRS-2672: attempt to start 'ora.cssdmonitor' on 'alvis '.
CRS-2676: beginning of 'ora.cssdmonitor', the 'alvis' successful
CRS-2672: attempt to start 'ora.cssd' on 'alvis '.
CRS-2672: attempt to start 'ora.diskmon' on 'alvis '.
CRS-2676: beginning of 'ora.diskmon', the 'alvis' successful
CRS-2676: beginning of 'ora.cssd', the 'alvis' successful
CRS-2672: attempt to start 'ora.ctssd' on 'alvis '.
CRS-2676: beginning of 'ora.ctssd', the 'alvis' successful
CRS-2672: attempt to start 'ora.asm' on 'alvis '.
CRS-5011: control of resources '+ ASM' failed: details at "(:CLSN00006:))" "in ' / home/oracle/app/11.2.0/grid/log/alvis/agent/ohasd/oraagent_oracle/oraagent_oracle.log '.
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux error: 2: no such file or directory
Process ID: 0
Session IDs: serial number 0: 0
ORA-48108: invalid value for the parameter in init.ora diagnostic_dest
CRS-5011: control of resources '+ ASM' failed: details at "(:CLSN00006:))" "in ' / home/oracle/app/11.2.0/grid/log/alvis/agent/ohasd/oraagent_oracle/oraagent_oracle.log '.
CRS-2674: beginning of 'ora.asm', the 'alvis' failed
CRS-2679: attempt to clean "ora.asm" on the "alvis".
CRS-5011: control of resources '+ ASM' failed: details at "(:CLSN00006:))" "in ' / home/oracle/app/11.2.0/grid/log/alvis/agent/ohasd/oraagent_oracle/oraagent_oracle.log '.
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux error: 2: no such file or directory
Process ID: 0
Session IDs: serial number 0: 0
CRS-5011: control of resources '+ ASM' failed: details at "(:CLSN00006:))" "in ' / home/oracle/app/11.2.0/grid/log/alvis/agent/ohasd/oraagent_oracle/oraagent_oracle.log '.
CRS-2681: clean 'ora.asm' on 'alvis' successful
CRS-4000: Start command has failed, or completed with errors.
Return code of 1 (256) control command: /home/oracle/app/11.2.0/grid/bin/crsctl start resource ora.asm - init
Beginning of the resource ' ora.asm - init ' failed
Could not start ASM
The Oracle Clusterware boot failure battery
To get to this point, I'm already have to do:
ls - la /tmp/.oracle/ /var/tmp/.oracle/ /usr/tmp/.oracle/ in another terminal, and as soon as I see the files increase I do
/ bin/dd if=/var/tmp/.oracle/npohasd of = / dev/null bs = 1024 count = 1 due to the publication (inappropriate ioctl) in the https://forums.oracle.com/forums/thread.jspa?messageID=9579932
Any ideas?OK, default ORACLE_BASE is/home/oracle/app/oracle
the directory does not exist a single node2 and cannot be created as/home/oracle/app is owned by root: oinstall, only root has write permissions there and in some way, it has not been created
ASM runs as user oracle, so it can not create the/home/oracle/app/oracle/diag/asm directory for newspapers/traces of ASMthe 2nd node:
try to create the directory/home/oracle/app/oracle manually with appropriate permissions (oracle: oinstall, 755, even as on node1)
Then run /home/oracle/app/11.2.0/grid/crs/install/rootcrs.pl - deconfig-force (to unconfigure the clusterware failed battery config)
Run root.sh again -
11 GR 2 RAC - Database Control - agent system of is not the second node
I have a new system of the RAC node 2 11 GR 2 RHEL5 64 bit - it's a testbed at the moment. I installed Database Control because at the moment I don't have a separate grid control server available for this configuration. After you run DBCA, control of the database has started very well, and I could connect to the console and see the two available nodes. On a subsequent restart of the two nodes, I can start the dbconsole leave the first node, but the agent does not start on the second node. My understanding is that spear the dbconsole of node 1 should start the agents on both nodes. Is this correct? I don't know why the agent is not running or implementation on the second node. How can I start it? GC, I could do emctl start the agent, but apparently for the control of the database, this isn't an option.
Node1:
Node 2[oracle@node1 db_1]$ emctl status dbconsole Oracle Enterprise Manager 11g Database Control Release 11.2.0.1.0 Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. https://node1.com:1158/em/console/aboutApplication Oracle Enterprise Manager 11g is running. ------------------------------------------------------------------ Logs are generated in directory /u01/app/oracle/product/11.2.0/db_1/node1_saastexd/sysman/log [oracle@node1 db_1]$ emctl status agent Oracle Enterprise Manager 11g Database Control Release 11.2.0.1.0 Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. --------------------------------------------------------------- Agent Version : 10.2.0.4.2 OMS Version : 10.2.0.4.2 Protocol Version : 10.2.0.4.2 Agent Home : /u01/app/oracle/product/11.2.0/db_1/node1_clusterdb Agent binaries : /u01/app/oracle/product/11.2.0/db_1 Agent Process ID : 18120 Parent Process ID : 18073 Agent URL : https://node1.xxx.com:3938/emd/main Repository URL : https://node1.xxx.com:1158/em/upload/ Started at : 2010-04-27 16:49:17 Started by user : oracle Last Reload : 2010-04-27 16:59:28 Last successful upload : 2010-04-27 17:04:34 Total Megabytes of XML files uploaded so far : 2.54 Number of XML files pending upload : 0 Size of XML files pending upload(MB) : 0.00 Available disk space on upload filesystem : 58.40% Data channel upload directory : /u01/app/oracle/product/11.2.0/db_1/node1_clusterdb/sysman/recv Last successful heartbeat to OMS : 2010-04-27 17:04:35 --------------------------------------------------------------- Agent is Running and Ready
I can't see what follows from sysman/log/emagent_perl.trc on the first node:[oracle@node2 oracle]$ emctl status agent Oracle Enterprise Manager 11g Database Control Release 11.2.0.1.0 Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. --------------------------------------------------------------- Agent is Not Running
I admit that I am more familiar with GC than DC, although not at all an expert. Any ideas?ties line no. 75 maxRowCount.pl: Tue Apr 27 16:49:19 2010: ERROR: Max Count Value not set properly in file /u01/app/oracle/product/11.2.0/db_1/sysman/config/esa/database.proper ties line no. 77
You must leave dbconsole time node. from the dbconsole will start the agent, there is no agent seprate for dbconsole
-
error after you run root.sh on the second node
Hello
I installed the clusterware on a system with 2 nodes running on RHEL 5
I followed the prereqs and fix all the errors I've met
After the installation of clusterware, he asked me to run root.sh on all nodes
When I run root.sh on the second node
It gave this error
Vipca (silent) to configure applications running
/ Home/Oracle/CRS/Oracle/product/10/CRS/JDK/JRE / / bin/java: error loading
shared libraries: libpthread.so.0: cannot open shared object file:
No such file or directory
so I followed metalink notes 414163.1
After that I called it a day
in the morning, will receive it started both nodes
and started on the second node vipca
It gave this error
Unable to communicate with the services of crs PRKH:1010
i ran ps - ef | grep crs
root 3201 1 0 15:37? 00:00:00 / bin/sh /etc/init.d/init.crsd run
crsctl check crs gave
demon of css contact failure 1
cannot communicate with the crs
cannot communicate with evm
What should I do to start these services?raw devices ownership is changed back to the root after reboot, which is why its usual practice to add chown/chmod to /etc/rc.local for example:
chown oracle: oinstall/dev/sde1
chown oracle: oinstall/dev/sdf1
chmod 600/dev/sde1
chmod 600/dev/sdf1 -
CARS >; cannot start the DEV database on the second node after clone of PROD
2 node RAC
Example 1: DEV11
Example 2: DEV12
Database version: 10.2.0.5.0
OS: RHEL 5.5
After clone database, we can only bring to the top of the database on node 1. After the start of the database in the instance DEV11, we cannot raise the database in the instance DEV12. After the start of the database in DEV12, we cannot raise the database pending DEV11.
We receive an error ORA-00600 message.
SQL > startup;
ORACLE instance started.
Total System Global Area 4429185024 bytes
Bytes of size 2102032 fixed
1191185648 variable size bytes
Buffers data 3221225472 bytes
Redo buffers 14671872 bytes
ORA-00600: internal error code, arguments: [kccsbck_first], [2], [1523689643],
[], [], [], [], []
We went through the following Notes:
ORA-600 [kccsbck_first] - what to check [157536.1 ID]
Bug 2646914 : ORA-600 [KCCSBCK_FIRST], [2] IF ORACM & ORACLE has BEEN RESTARTED ON a NŒUD
DIAGNOSTIC TEST:
On the failed node, alert.log has a line which reads: "this instance was the first to climb." This is not true. The DB has been mounted on the other node.
Rebound of the proceeding on the other node does not solve our problem.
Ran also, what follows on both nodes, but that didn't help either.
crsctl stop crs
crsctl start crs
Any advice would be appreciated... Thank you!See if the docs from metalink following can help you. Otherwise, please open SR with Oracle.
1 ORA-600 [kccsbck_first] - what to check [157536.1 ID]
2 commissioning (editing) of 2nd instance RAC fails with ORA-00600 [kccsbck_first] [395156.1 ID]Thank you
http://swervedba.WordPress.com/ -
HA, host down, not reboot VM on the second node
Hello...
I'm testing the Esxi5, and I have a problem with HA.
I configured a Cluster and two guests on it.
Cluster - CLUSTER name
Host 1 IP - name VMWARE0 - 10.0.0.9 (Master - vMotion Enabled) - Dell PowerEdge R715 - AMD Opteron 6136 - 64 GB of RAM
The 2 - name VMWARE1 - 10.0.0.10 IP host (Slave - vMotion Enabled) - Dell PowerEdge R715 - AMD Opteron 6136 - 64 GB of RAM
I used reconfigured for vsphere HA on both hosts
There is no virtual machine in production, only the tests yet.
But when I reboot VMWARE0, virtual machines powered are moved to VMWARE1 in off State, but they are not started automatically.
When the VMWARE0 end reboot all virtual machines come back and then they are started according to the configuration of "Virtual Machine Startup/Shutdown" on the host computer.
Y at - it a Bug that we need to correct or I do something wrong?
vCenter Server and vSphere Client - Version 5.0.0 - build - 455964
ESXi - 5.0.0 - 20120302001
Thank you very much...
No, the virtual machines will not migrate back once the host is up and running again. This must be done manually. If you have any DRS in place, DRS can choose this host for recently powered on VMs (initial investment) or migrate virtual machines on that host, in the case where the other host is overloaded.
Greetings from the Germany
André
-
Change of IP address for Administration ISE 1.2 nodes?
Hello world.
Currently, I don't have the means to simulate this (it would be to create multiple virtual machines to test and I do not have access to this space memory and hard drive to do).
I have currently deployed an ISE 6 knots, with 2 Central nodes configuration (Administration and monitoring), and 4 NHPS scattered around the country.
The customer needs to move the hubs of their data center, and it will be to change the IPS for both nodes.
What are the steps to do this? I've searched and couldn't find anything conclusive.
My idea is this:
1. take the secondary node and cancel the registration of the deployment.
2 change the secondary ip address (cert regenerate if necessary)
3. change the DNS record for the node admin secondary
4. secondary displacement in the data center
5. turn on the node admin secondary
6 register admin secondary node
7. to promote the admin school primary node
8. repeat the steps for the primary (now secondary) node.
Of course, in the meantime I have to change the IP addresses for servers RADIUS on all WLC and switches.
Will this work? Are there additional aspects that I need?
Thanks in advance.
Dear Sir
Your proposed plan seems logical, but you must take care of the following:
"If you have saved a secondary node of the Administration (the main new) after registering secondary nodes of Cisco political ISE of Service and monitoring, you must restart the secondary Cisco ISE nodes that were saved before the secondary management node was registered."
City of ... http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_use.
Thus, after step 7, you need to restart the Ssnp 4 to communicate with the administrator AGAIN.
-
ISE-impossible to register a node
Hi all
We strive to integrate a new node ISE as a PSN for our current configuration. When we try to register, we get below error messages. -What someone faced same question. Also need clarity on these error messages.
When you try to record with the IP address that we get the error message as below:
Cannot authenticate ISE secondary_ise_name. Please check the server and the configuration of the CA certificate and try again.
When you try to record with the domain name FULL we get the error message as below:
FULL "XYZ.local.com", which is not resolved domain name. Please check your DNS configuration.
If need to clarity if it is a DNS issue or certificate.
Kind regards
Avinash
Hello
Please ensure that your FULL domain name can be resolved by your ISE.
For this you must add the entry for your server's DNS.
-
ISE node failure &; pre authorization ACL
Hi all
I would like to know who, in what should be the best practice for the following configuration.
(1) access for devices/end users network if both nodes ISE become inaccessible? How we can ensure that full network access should be granted if the two ISE nodes become unavailable.
(2) what is the best practice for setting up pre authorization ACL if IP phones are also in the network?
Here is the configuration of the port and the pre authorization ACL which I use in my network,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
IP access-group ISE-ACL-DEFAULT in
authentication event failure action allow vlan 30
action of death event authentication server allow vlan 30
living action of the server reset the authentication event
multi-domain of host-mode authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
periodic authentication
Server to authenticate again authentication timer
protect the violation of authentication
MAB
dot1x EAP authenticator
dot1x tx-period 5
*****************************************
IP access-list extended by DEFAULT ACL - ISE
Note DHCP
allow udp any eq bootpc any eq bootps
Note DNS and domain controllers
IP enable any host 172.22.35.11
IP enable any host 172.22.35.12
Notice Ping
allow icmp a whole
Note PXE / TFTP
allow udp any any eq tftp
Note all refuse
deny ip any any newspaper
Thank you best regards &,.
Guelma
Hello
On question 1, since you use 'authentication mode host multi-domain' then "action dead event server authentication allows vlan X" is the way to go.
But if you use "authentication host-mode multi-auth" then you should use "action death event authentication server reset vlan X"
On question 2, it is not mandatory to use pre permission ACL. My current deployment have IP phones, since I use the profiling and CDP RADIUS then ISE can detect and allow the IP phones, even if the switch blocks all packets. "Why I didn't need pre-authorization ACL.
Please rate if this can help.
-
Best practices for the restart of the nodes of the ISE?
Hello community,
I administer an ISE installation with two nodes (I'm not a specialist of the ISE, my job is simply to manage the user/mac-addresses... but now I have to move my ISE a VMWare Cluster nodes to another VMWare Cluster.
(Both VMWare environments are connected to our network of the company, but are different environments. vMotion is not possible)
I want to stop ISE02, move it to our new VMWare environment and start it again.
That I could do this with our ISE01 node...
Are there best practices to achieve this? (Stop request first, stopl replikation etc.) ?
Can I really just reboot a node ISE - or I have consider something before I do this? After I did this?
All tasks after reboot?
Thanks for any answer!
ISE01
Administration, monitoring, Service policy
PRI (A), DRY (M)ISE02
Administration, monitoring, Service policy
SEC (A), PRI (M)There is a lot to consider here. If changing environments involves a change of IP address and IP extended, then your policies, profiles and DACL would also change among other things. If this is the case, create a new VM ISE in the new environment in evaluation license using the and recreate the old environment deployment by using the address of the new environment scheme. Then a new secondary node set rotation and enter it on the primary. Once this is done, you can re - host license from your old environment on your new environment. You can use this tool to re - host:
https://Tools.Cisco.com/swift/LicensingUI/loadDemoLicensee?formid=3999
If IP addressing is to stay the same, it becomes simpler.
First and always, perform an operational backup and configuration.
If the downtime is not a problem, or if you have a window of maintenance of an hour or so: just to close the two nodes. Transfer to the new environment and light them, head node first, of course.
If the downtime is a problem, stop the secondary node and transfer it to the new environment. Start the secondary node and when he comes back, stop the main node. Once that stopped services on the head node, promote the secondary node to the primary node.
Transfer of the FORMER primary node to the new environment and turn it on. She should play the role of secondary node. If it is not the case, assign this role through the GUI.
Remember, the proper way to shut down a node of ISE is:
request stop ise
Halt
By using these commands, the risk of database corruption decreases by 90% (remember to always backup).
Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.
Charles Moreton
-
Distribution system to ISE with 4 nodes &; Licensing
Hello
Question 1
-------------
We 04 devices ISE and we intend to deploy distributed system such that 02 ISE will act as PRI/SEC with the PAD/M & T roles and other 02 as Act PRI/sec with the PDP.
Pair of PAD/MT configuration is straighforward and has no doubt, but there is problem with the two other nodes which is (PDP) as PRI/SEC.
ISE that warns us that at least one node should have the role of monitor allowed, however at the time where Admin role is already activated when we cannot have the people with reduced mobility.
If someone has made, appreciate can guide me in the right direction or share any document how to achieve this requirement.
Question 2
-------------
My another querry is on licensing on this requirement. We have only 1 Base and 1 Adv license for all these 04 boxes for about 500 endpoints. However we can generate licenses against 1 single ISE unit giving its serial number and which will install on primary PAP/MT box only, and what other two boxes that will act as PDP PRI/SEC and it will still give a warning that he is s no license.
Question 3
-------------
When deploy us distributed systems with above senario, which addresses to IP node ISE we need to set up on n (switch), will all be 04 ip address or it will be the pair of PAP/MT or PDP... ?
Thanks in advance.
There are the following roles that can be assigned to a deployment:
-Administrative node (aka SCAP). Must be 1 PAP and possibly a secondary antibody
-Monitoring Node (aka M & T). Must have at least one and optionally a standby
-Political service knot (aka PDP): running the RADIUS and profiling functions
Each node can take one or more of these roles
For your configuration, I recommend the following:
-The node 1: administrative
-Node 2: monitoring
-3: Policy Services node
-4: Policy Services node
all connected in a deployment with a single license
Create 1 node first, then add all the others for deployment
In addition, you must enable the secondary administrative functions on one of the nodes (you must choose which) can act as a backup. He will get used only in case of failure of the main administration role. Can also activate secodnary M & T on a node, but be aware that it is a function of active and therefore is still operational
Hope that helps
Maybe you are looking for
-
my macbook retina display screen suddenly opens a straight line through my laptop, there is not a long time disappears almost immediately or within a few minutes, but its very disturbing. what I have on this topic please
-
When I play a song theres no option and click on next or previous audio slider (not volume) is gone.
-
Hi all I'm a newbie on the site and would very much appreciate if you wise experienced could help me with this one. I have a HP Compaq dx2250 desktop running xp pro 64 bit. It is about four years old now and normally works fine until about a fortnigh
-
I'm new to the Forum. Cannot receive a less narrow router wifi signal.
I have a laptop Aspire V5-572P-6646 and run Windows 10. I can't get a wifi signal unless I'm in the 10 to 15 feet from my wireless router. My HP laptop has no problem to pick up the router on different floors. Y at - it a fix for the problem of wi
-
Now not recognized by the computer locked up CLIP
I plugged my Sansa Clip up to my iMAC tonight to load (first time on this machine). Once this was done, I removed but I forgot to take it apart and in doing so he locked up. I did the soft reset by holding down the power button for 15 seconds and i