Synchronize Primary and Secondary Cisco ISE Nodes
You can make configuration changes to Cisco ISE only through the Primary PAN. The configuration changes get replicated to all the secondary nodes. If, for some reason, this replication does not occur properly, you can manually synchronize the Secondary PAN with the Primary PAN.
您只能通过Primary PAN(Policy Administration Node)对Cisco ISE进行配置更改。 配置更改将复制到所有Secondary节点。 如果由于某种原因,此复制未正确发生,您可以手动将Secondary PAN与Primary PAN同步。
之前遇到过的情况:当Secondary PAN与Primary PAN注册或者同步出现故障时,应该是无法点击Syncup按钮的。
Before you begin
You must click the Syncup button to force a full replication if the Sync Status is set to Out of Sync or if the Replication Status is Failed or Disabled.
如果“同步状态(Sync Status)”设置为“不同步(Out of Sync)”或“复制状态(Replication Status)”为“失败(Failed)”或“已禁用(Disable)”,则必须单击“同步(Syncup)”按钮以强制执行完全复制。
Procedure
Step 1 Log in to the Primary PAN.
Step 2 Choose Administration > System > Deployment.
Step 3 Check the check box next to the node that you want to synchronize with the Primary PAN, and click Syncup to force a full database replication. 选择你想要和Primary PAN同步的节点的勾选框,并且点击Syncup强制执行完全复制。
Change Node Personas and Services
You can edit the Cisco ISE node configuration to change the personas and services that run on the node.
您可以编辑Cisco ISE节点配置以更改在节点上运行的角色和服务。
Before you begin
• When you enable or disable any of the services that run on a Policy Service node or make any changes to a Policy Service node, you will be restarting the application server processes on which these services run. Expect a delay while these services restart.
• Due to this delay in restart of services, auto-failover if enabled in your deployment, might get initiated. To avoid this, make sure that the auto-failover configuration is turned off.
•启用或禁用在策略服务节点上运行的任何服务或对策略服务节点进行任何更改时,您将重新启动运行这些服务的应用程序服务器进程。 这些服务重新启动时会出现延迟。
•由于服务重启的延迟,如果在部署中启用了自动故障转移,则可能会启动。 要避免这种情况,请确保已关闭自动故障转移配置。
Secondary Cannot Register
Procedure
Step 1 Log in to the Primary PAN.
Step 2 Choose Administration > System > Deployment.
Step 3 Check the check box next to the node whose personas or services you want to change, and then click Edit.
Step 4 Choose the personas and services that you want.
Step 5 Click Save.
Step 6 Verify receipt of an alarm on your Primary PAN to confirm the persona or service change. If the persona or service change is not saved successfully, an alarm is not generated.
验证在主PAN上收到警报以确认角色或服务更改。 如果未成功保存角色或服务更改,则不会生成警报(这个告警的意思应该是告知你成功了的情况,不是说不正常的告警信息)。
其他情况下案例:
I had the same thing happen in my ISE 1.4 (two-node deployment). My secondary ISE node stayed in "Not in Sync". I opened a case with Cisco and this is what I had to do to cure it.
1. Make sure both ISE servers are handling policy service. Do not proceed until you are sure both ISE servers are providing policy service. If they are not both handling policy you will need to open a maintenance window with your organization.
第一点需要确认的是ISE都设置policy service。
2. From the CLI.
a. stop the ISE application. "app stop ise." <----------停止ISE应用
b. reload the application. "reload." My primary ISE server required 35 minutes to reload. Yours may take longer or shorter. <-----------然后通过reload命令重启ISE去开启应用。这个过程比较久,一般在40分钟左右。
3. When the Primary has come back up make sure it is handling policy services. When you have verified it is then…
然后操作的是解除注册(该过程需要几分钟,可能被解除的ISE需要重启,过程需要花费一定的时间)>然后等待ISE启动完成后,在重新注册这个ISE 节点,观察情况,这个注册过程正常情况下不需要很久,但是还是要等待一段时间,可能10分钟左右。看具体的配置情况,在两边配置一样的情况下,可能时间短。
a. Go to Administration > Deployment.
b. Deregister the secondary ISE server. Mine took about 5 minutes to complete.
c. Then Register the secondary ISE node again. You will need the FQDN of the secondary ISE server and login credentials for it. The Register process took about 40 minutes for my deployment. You can monitor the process from the CLI of the secondary node with the command "show app status ISE".
d. Check your "External Identity Sources" after this process. I had to re-connect my secondary node to Active Directory.
Again, my deployment is ISE 1.4, but my problem was exactly what you are describing.
类似案例:
新部署的ISE,Secondary不能注册或同步到Primary,两个ISE的硬件,软件版本,基础配置(除了hostname等等)都一样。DNS配置了,同一个DNS server,NTP同步时间也是从一个NTP server,双方可以通过IP地址或域名互访,但是Secondary就是无法注册或同步到Primary(开始同步之前,确认了Secondary是standalone的模式,且后续可以看到角色已经变成了Secondary,但等待3-4小时之后,就会出现出现如下的报错!)
Sync Node Registration or Sync failed.Please deregister and register the Status:node again
尝试过的操作:
1、切换主备
2、重启设备(两台)
3、查看互联的SW,可以看到两台ISE
解决方法:
1、尝试过开启两台ISE的DNS,单纯开启这个,貌似没什么作用。
2、最终,还是在DNS Server上配置了域名反向查找。再次尝试之后,一会儿就注册并同步了。
Reverse DNS Lookup Configuration
Configure reverse DNS lookup for all Cisco ISE nodes in your distributed deployment in the DNS server(s). Otherwise, you may run into deployment-related issues after upgrade (“ISE Indexing Engine” status turns to “not running”). The secondary PAN cannot join the primary PAN to make a cluster for ISE Indexing engine if reverse DNS is not configured (displays error in VCS pages).
The ise-elasticsearch.log file on secondary PAN will include the SSL Exception “No subject alternative name present”, if reverse DNS is missing.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/release_notes/ise23_rn.html#pgfId-781002
配置反向DNS查找:(AD/WIN server 2008/2012)
https://www.petri.com/configure-forward-reverse-lookup-zones-in-windows-server-2008-r2-2012
ISE注册同步的关键点:
1、NTP/time,timezone
2、DNS(include forward & reverse)
3、primary & secondary可达