Synchronize Primary and Secondary Cisco ISE Nodes
You can make configuration changes to Cisco ISE only through the Primary PAN. The configuration changes get replicated to all the secondary nodes. If, for some reason, this replication does not occur properly, you can manually synchronize the Secondary PAN with the Primary PAN.
您只能通過Primary PAN(Policy Administration Node)對Cisco ISE進行配置更改。 配置更改將復制到所有Secondary節點。 如果由於某種原因,此復制未正確發生,您可以手動將Secondary PAN與Primary PAN同步。
之前遇到過的情況:當Secondary PAN與Primary PAN注冊或者同步出現故障時,應該是無法點擊Syncup按鈕的。
Before you begin
You must click the Syncup button to force a full replication if the Sync Status is set to Out of Sync or if the Replication Status is Failed or Disabled.
如果“同步狀態(Sync Status)”設置為“不同步(Out of Sync)”或“復制狀態(Replication Status)”為“失敗(Failed)”或“已禁用(Disable)”,則必須單擊“同步(Syncup)”按鈕以強制執行完全復制。
Procedure
Step 1 Log in to the Primary PAN.
Step 2 Choose Administration > System > Deployment.
Step 3 Check the check box next to the node that you want to synchronize with the Primary PAN, and click Syncup to force a full database replication. 選擇你想要和Primary PAN同步的節點的勾選框,並且點擊Syncup強制執行完全復制。
Change Node Personas and Services
You can edit the Cisco ISE node configuration to change the personas and services that run on the node.
您可以編輯Cisco ISE節點配置以更改在節點上運行的角色和服務。
Before you begin
• When you enable or disable any of the services that run on a Policy Service node or make any changes to a Policy Service node, you will be restarting the application server processes on which these services run. Expect a delay while these services restart.
• Due to this delay in restart of services, auto-failover if enabled in your deployment, might get initiated. To avoid this, make sure that the auto-failover configuration is turned off.
•啟用或禁用在策略服務節點上運行的任何服務或對策略服務節點進行任何更改時,您將重新啟動運行這些服務的應用程序服務器進程。 這些服務重新啟動時會出現延遲。
•由於服務重啟的延遲,如果在部署中啟用了自動故障轉移,則可能會啟動。 要避免這種情況,請確保已關閉自動故障轉移配置。
Secondary Cannot Register
Procedure
Step 1 Log in to the Primary PAN.
Step 2 Choose Administration > System > Deployment.
Step 3 Check the check box next to the node whose personas or services you want to change, and then click Edit.
Step 4 Choose the personas and services that you want.
Step 5 Click Save.
Step 6 Verify receipt of an alarm on your Primary PAN to confirm the persona or service change. If the persona or service change is not saved successfully, an alarm is not generated.
驗證在主PAN上收到警報以確認角色或服務更改。 如果未成功保存角色或服務更改,則不會生成警報(這個告警的意思應該是告知你成功了的情況,不是說不正常的告警信息)。
其他情況下案例:
I had the same thing happen in my ISE 1.4 (two-node deployment). My secondary ISE node stayed in "Not in Sync". I opened a case with Cisco and this is what I had to do to cure it.
1. Make sure both ISE servers are handling policy service. Do not proceed until you are sure both ISE servers are providing policy service. If they are not both handling policy you will need to open a maintenance window with your organization.
第一點需要確認的是ISE都設置policy service。
2. From the CLI.
a. stop the ISE application. "app stop ise." <----------停止ISE應用
b. reload the application. "reload." My primary ISE server required 35 minutes to reload. Yours may take longer or shorter. <-----------然后通過reload命令重啟ISE去開啟應用。這個過程比較久,一般在40分鍾左右。
3. When the Primary has come back up make sure it is handling policy services. When you have verified it is then…
然后操作的是解除注冊(該過程需要幾分鍾,可能被解除的ISE需要重啟,過程需要花費一定的時間)>然后等待ISE啟動完成后,在重新注冊這個ISE 節點,觀察情況,這個注冊過程正常情況下不需要很久,但是還是要等待一段時間,可能10分鍾左右。看具體的配置情況,在兩邊配置一樣的情況下,可能時間短。
a. Go to Administration > Deployment.
b. Deregister the secondary ISE server. Mine took about 5 minutes to complete.
c. Then Register the secondary ISE node again. You will need the FQDN of the secondary ISE server and login credentials for it. The Register process took about 40 minutes for my deployment. You can monitor the process from the CLI of the secondary node with the command "show app status ISE".
d. Check your "External Identity Sources" after this process. I had to re-connect my secondary node to Active Directory.
Again, my deployment is ISE 1.4, but my problem was exactly what you are describing.
類似案例:
新部署的ISE,Secondary不能注冊或同步到Primary,兩個ISE的硬件,軟件版本,基礎配置(除了hostname等等)都一樣。DNS配置了,同一個DNS server,NTP同步時間也是從一個NTP server,雙方可以通過IP地址或域名互訪,但是Secondary就是無法注冊或同步到Primary(開始同步之前,確認了Secondary是standalone的模式,且后續可以看到角色已經變成了Secondary,但等待3-4小時之后,就會出現出現如下的報錯!)
Sync Node Registration or Sync failed.Please deregister and register the Status:node again
嘗試過的操作:
1、切換主備
2、重啟設備(兩台)
3、查看互聯的SW,可以看到兩台ISE
解決方法:
1、嘗試過開啟兩台ISE的DNS,單純開啟這個,貌似沒什么作用。
2、最終,還是在DNS Server上配置了域名反向查找。再次嘗試之后,一會兒就注冊並同步了。
Reverse DNS Lookup Configuration
Configure reverse DNS lookup for all Cisco ISE nodes in your distributed deployment in the DNS server(s). Otherwise, you may run into deployment-related issues after upgrade (“ISE Indexing Engine” status turns to “not running”). The secondary PAN cannot join the primary PAN to make a cluster for ISE Indexing engine if reverse DNS is not configured (displays error in VCS pages).
The ise-elasticsearch.log file on secondary PAN will include the SSL Exception “No subject alternative name present”, if reverse DNS is missing.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/release_notes/ise23_rn.html#pgfId-781002
配置反向DNS查找:(AD/WIN server 2008/2012)
https://www.petri.com/configure-forward-reverse-lookup-zones-in-windows-server-2008-r2-2012
ISE注冊同步的關鍵點:
1、NTP/time,timezone
2、DNS(include forward & reverse)
3、primary & secondary可達