ISE 1.2 Patch 8 - Wired CoA Bug

Hi all,
Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

CoA Not Initiating on Client Machine
Symptoms or
Issue
Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions Click the magnifying glass icon in Authentications to display the steps in the
Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes • The administrator did not correctly configure the Network Access Device
(NAD) type in Cisco ISE.
• Could not find the network device or the AAA Client while accessing NAS by
IP during authentication.
Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
• Verify whether the Network Device or AAA client is correctly configured in
Administration > Network Resources > Network Devices
Symptoms or
Issue
Users logging into the Cisco ISE network are not experiencing the required Change
of Authorization (CoA).
Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
supported network devices.
Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
commands, may be assigning the wrong port (for example, a port other than 1700),
or have an incorrect or incorrectly entered key.
Resolution Ensure the following commands are present in the switch configuration file (required
on switch to activate CoA and configure the switch):
aaa server radius dynamic-author
client <Monitoring_node_IP_address> server-key <radius_key>

Similar Messages

  • ISE 1.2 Patch 7 possible guest CWA bug

    Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
    In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
    If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

    Hi,
    I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
    The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.

  • ISE 1.2 Patch 12

    Hi all,
    I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
    None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
    "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
    Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
    I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
    Any info out there about 5441 before I log a TAC?????
    Thanks.

    Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
    It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
    Event
    5400 Authentication failed
    Failure Reason
    12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
    Resolution
    Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
    Root cause
    Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

  • ISE 1.2 patch 4 not retrieving groups

    Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
    Anyone else experiencing this issue?           
    Regards,
    Mathieu

    The issue you are referring to is documented in the following CDETS:
    CSCul84544: Retrieval of AD groups or attributes is failing
    This is not yet resolved. May be resolved in a future patch
    The workaround given in the CDETS is
    Fix the DNS server so that the reverse DNS lookup matches
    I believe there are other steps that can be taken to mitigate this but would need intervention from TAC

  • ISE 1.2 Patch 8

    Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3.  We are looking to upgrade to Patch 8.  We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?

    So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.

  • [svn:fx-3.x] 5709: Accepted BugQuash patch SDK-20278 for bug SDK-15690.

    Revision: 5709
    Author: [email protected]
    Date: 2009-03-28 13:57:51 -0700 (Sat, 28 Mar 2009)
    Log Message:
    Accepted BugQuash patch SDK-20278 for bug SDK-15690. This makes it possible to initialize ToggleButtonBar with a selectedIndex of -1 so that no button is selected.
    Thank you, Tom Chiverton!
    QE Notes: None
    Doc Notes: None
    Bugs: SDK-15690
    Reviewer: Accepting patch
    Ticket Links:
    http://bugs.adobe.com/jira/browse/SDK-20278
    http://bugs.adobe.com/jira/browse/SDK-15690
    http://bugs.adobe.com/jira/browse/SDK-15690
    Modified Paths:
    flex/sdk/branches/3.x/frameworks/projects/framework/src/mx/controls/ToggleButtonBar.as

  • [svn:fx-3.x] 5708: Accepted BugQuash patch SDK-20277 for bug SDK-17251.

    Revision: 5708
    Author: [email protected]
    Date: 2009-03-28 13:30:11 -0700 (Sat, 28 Mar 2009)
    Log Message:
    Accepted BugQuash patch SDK-20277 for bug SDK-17251. This makes Form respect its children's includeInLayout property when computing measuredWidth.
    Thank you, Myo Thein!
    QE Notes: None
    Doc Notes: None
    Bugs: SDK-17251
    Reviewer: Accepting patch
    Ticket Links:
    http://bugs.adobe.com/jira/browse/SDK-20277
    http://bugs.adobe.com/jira/browse/SDK-17251
    http://bugs.adobe.com/jira/browse/SDK-17251
    Modified Paths:
    flex/sdk/branches/3.x/frameworks/projects/framework/src/mx/containers/Form.as

  • [svn] 3365: Applying user submitted patch SDK-16993 for bug SDK-15551.

    Revision: 3365
    Author: [email protected]
    Date: 2008-09-25 12:35:13 -0700 (Thu, 25 Sep 2008)
    Log Message:
    Applying user submitted patch SDK-16993 for bug SDK-15551.
    QA: Yes
    Checkintests: pass
    Ticket Links:
    http://bugs.adobe.com/jira/browse/SDK-16993
    http://bugs.adobe.com/jira/browse/SDK-15551
    Modified Paths:
    flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/collections/SortField.as

    Revision: 3365
    Author: [email protected]
    Date: 2008-09-25 12:35:13 -0700 (Thu, 25 Sep 2008)
    Log Message:
    Applying user submitted patch SDK-16993 for bug SDK-15551.
    QA: Yes
    Checkintests: pass
    Ticket Links:
    http://bugs.adobe.com/jira/browse/SDK-16993
    http://bugs.adobe.com/jira/browse/SDK-15551
    Modified Paths:
    flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/collections/SortField.as

  • [svn] 3367: Applying user submitted patch SDK-16889 for bug SDK-15290.

    Revision: 3367
    Author: [email protected]
    Date: 2008-09-25 13:26:08 -0700 (Thu, 25 Sep 2008)
    Log Message:
    Applying user submitted patch SDK-16889 for bug SDK-15290.
    QA: Yes
    Checkintests: pass
    Mustella: CurrencyValidator passes
    Ticket Links:
    http://bugs.adobe.com/jira/browse/SDK-16889
    http://bugs.adobe.com/jira/browse/SDK-15290
    Modified Paths:
    flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/validators/CurrencyValidator .as

    Revision: 3367
    Author: [email protected]
    Date: 2008-09-25 13:26:08 -0700 (Thu, 25 Sep 2008)
    Log Message:
    Applying user submitted patch SDK-16889 for bug SDK-15290.
    QA: Yes
    Checkintests: pass
    Mustella: CurrencyValidator passes
    Ticket Links:
    http://bugs.adobe.com/jira/browse/SDK-16889
    http://bugs.adobe.com/jira/browse/SDK-15290
    Modified Paths:
    flex/sdk/branches/3.0.x/frameworks/projects/framework/src/mx/validators/CurrencyValidator .as

  • ISE 1.2 Patch 6 Bulk account creation Sponsor portal bug

    Hi all, not sure whether anyone has this issue but I noticed yesterday when I do a bulk csv import of users into the sponsor portal that it does not hold the user group I specifiy. In summary I select my CSV file, choose my user type as contractor (guest or contractor) and submit. The import succeeds except that all users are placed into the guest group not the contractor group I specified. You then have to manually alter every single one of them to be in the right group.
    Any ideas?

    Hi -
    I also see this when I import a CSV file of accounts for a different guest role.  We have created a second portal (other than the default "guest").  All the new accounts get assigned to Guest regardless of what is specified. The fix has so far been simply reassigning them manually.

  • ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

    We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
    For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
    Personas:
    Administration
    Role:
    PRIMARY(A)
    System Time:
    Apr 24 2014 08:26:58 AM America/New_York
    FIPS Mode:
    Disabled
    Version:
    1.2.0.899
    Patch Information:
    7,1,3
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead
    12300
    Prepared EAP-Request proposing PEAP with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12318
    Successfully negotiated PEAP version 0
    12812
    Extracted TLS ClientKeyExchange message
    12804
    Extracted TLS Finished message
    12801
    Prepared TLS ChangeCipherSpec message
    12802
    Prepared TLS Finished message
    12816
    TLS handshake succeeded
    12310
    PEAP full handshake finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12313
    PEAP inner method started
    11521
    Prepared EAP-Request/Identity for inner EAP method
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11522
    Extracted EAP-Response/Identity for inner EAP method
    11806
    Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11808
    Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - *****
    24431
    Authenticating machine against Active Directory
    24470
    Machine authentication against Active Directory is successful
    22037
    Authentication Passed
    11824
    EAP-MSCHAP authentication attempt passed
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11810
    Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814
    Inner EAP-MSCHAP authentication succeeded
    11519
    Prepared EAP-Success for inner EAP method
    12314
    PEAP inner method finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    15036
    Evaluating Authorization Policy
    24433
    Looking up machine in Active Directory - host/*****
    24435
    Machine Groups retrieval from Active Directory succeeded
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Default
    15016
    Selected Authorization Profile - DenyAccess
    15039
    Rejected per authorization profile
    12306
    PEAP authentication succeeded
    11503
    Prepared EAP-Success
    11003
    Returned RADIUS Access-Reject 

    salodh,
    Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly. 
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead 
    If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
    Name
    Wired-******-PC
     Conditions
    Radius:Service-Type EQUALS Framed
    AND
    Radius:NAS-Port-Type EQUALS Ethernet
    AND
    *******:ExternalGroups EQUALS **********/Users/Domain Computers
    AND
    Network Access:EapAuthentication EQUALS EAP-TLS
    Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
    Thanks again, sir.
    Andrew

  • Cisco ISE 1.2 Patch 6 -- 8 Update failed

    Hi all,
    I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
    Important notice : I though that this error could be an unlucky try but i've tested the update two time.
    Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
    The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
    On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
    The symptoms after this error are :
    - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
    - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
    - GUI Unavailable
    - MAB Auth is working
    - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
    - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
    The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
    My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
    Thanks for your help.

    This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
    2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
    2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
    2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
    2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
    pl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
    8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
    2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
    2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

  • ISE 1.2 Patch 2 External RADIUS Server Sequence Broken?

    Hi community,
    We have upgraded our proof of concept ISE 1.2 lab to Patch level 2.
    Our lab design includes the use of external RADIUS servers which we off-load certain authentication rules to.
    To ensure resiliency of the external RADIUS service, we have two of these which we add to a RADIUS Server Sequence, the idea being that if the first in the list is unavailable, ISE will try the second and all will be well.
    Now this worked for us in testing ISE 1.2, but I have noticed that after the upgrade to Patch 2 ISE is sending the majority RADIUS traffic to the first (failed) external RADIUS server, with only the odd RADIUS Access-Request to thte next in the list.
    Anybody else come across this??
    All helpful comments rated!
    Many thanks, Ash.

    I couldn't find any known issues with this feature. Could you please paste the screen shot of external radius sequence and configuration. Also, how are we determing that the first server in the sequence is DEAD?
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ISE 1.2 patch 6 - All Authentications begin failing after about 20 minutes

    Hi all,
    Another strange one I am throwing out to the forum. Basically I have a 5 node deployment (1 x Primary Admin, 1 x Primary Monitoring, 1 x Secondary Admin/Monitoring and 2 x Policy Nodes). The primary authentication method is EAP-TLS or PEAP for wireless only. The deployment in question has been in pilot for about 3 weeks with no issues what so ever.
    As of this morning we rolled into production and all seemed well - about 100 users successfully authed against PSN1 (PSN2 is configured in the WLC as a secondary radius). About 30 minutes after the production rollout authentications began failing for the exact same reason (see attached radius log). I checked all of the certificates as recommended in the log but this was a matter of course in that everything is as it should be.
    My next step was to essentially stop PSN1 (application stop ise) to see if the issue was a problem on the second PSN. All authentications were now succeeding via PSN2. I left it this way for 30 minutes with no drama. I started PSN1 again and authentications began to work....20 minutes later the issue was back. I replicated this issue again to be sure.
    At this point I decided to deregister PSN1 and application reset the node before rejoining with the ISE deployment. Authentications worked well until about 30 minutes later when the issue reappeared. At this point I reloaded all nodes in the ISE deployment to see if this made a difference but the issue still remained.
    Currently I have PSN1 shutdown and all is functioning well - anyone have any ideas??

    I got this fixed via TAC. Basically the following is the bug but it is worth noting that this deployment was a fresh build of 1.2
    https://tools.cisco.com/bugsearch/bug/CSCuj17272/?reffering_site=dumpcr
    Symptom:
    all auth fails when using the existing identity source sequences after upgrade from 1.1.3 to 1.2.
    Conditions:
    upgrade from 1.1.3 to 1.2 build 899 breaks all auth using identity sequences.
    Basically the fix was to recreate my ID sequences and reapply to the authentication policy. This fixed the issue on the policy node in question.

  • Cisco ISE 1.2 Patch 8 with Roaming User Profiles

    ISE 1.2 with patch 8 has been installed and Works fine.
    Using AnyConnect Secure Mobility Client (NAM) 3.1.04072 and Cisco NAC Agent version 4.9.1013
    Scenario is EAP Chaining which does machine authentication + User Authentication
    After NAC Agent Pops up and Posture Assessment is successful, Users cannot see their Home drives and few other Network Drives.
    Sometimes during login we get the Error Message "User Profile cannot be loaded" and "User cannot Logon"
    Also while logging off We get the screen "Your Roaming Profile was not synchronized"
    All the Home Drives and Network Shared drives IP addresses are already added in the Downloadable ACL's.
    Any other Workaround to overcome these errors.
    Regards,
    Ramkumar.B

    This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
    2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
    2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
    2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
    2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
    pl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
    8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
    2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
    2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
    2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

Maybe you are looking for