ISE 1.3 Upgrade LDAP Issue

We recently upgraded to 1.3 and everything seems fine except that we noticed that the catalyst switches we use AD authentication through ISE for stopped dropping us automatically in enable mode. I did rejoin the device to AD as required post upgrade and have since unjoined and rejoined. When I run the test user option for the AD Identity store I get an error saying its unable to fetch LDAP attributes, see attached. There is also a similar error in the syslog anytime a user logs into the switch. I went back on the syslogs and these errors were not happening until the upgrade. I am assuming this somehow correlates to my issue. Anyone else experienced this post upgrade? Thanks.

Are you using LDAP or native AD join ?
There are some issues with LDAP and quotes in the group names, which is not supported. I also have had issues with 1.3 and using comma and users names, so something like Doe, John. is not possible as the name of a user in AD.
As for native AD, i have not had any issues with ISE 1.3

Similar Messages

  • LDAP issue after upgrading to SP15 from SP7 for CUP 5.3

    Hello,
    We have recently upgraded our Sandbox from SP 7 to SP15 on GRC 5.3 and Now having issues authenticating users using LDAP.
    The connections and settings are exactly same as our Dev system which in on SP7 and the connection also says successful but when we go onto the request page and type in an id it says invalid credentials.
    Am i missing something or is there a special procedure after upgrade .
    Thanks
    Uday

    Hello Frank,
    Thanks for the reply.I forgot to do it and as you said once i performed those steps it actually solved my password reset link issues as it was erroring out with 500 error and now  it is working fine .
    But to fix LDAP issue SAP has a note which says after SP13 we don't need to fill in the user path field while creating LDAP connector.
    Thanks
    Uday

  • Upgrading to ISE 1.3 error ISE Global data upgrade failed!

    HI,
    Has anyone come across this issue? when upgrading, it seems to start all well but then this happens:
    - Data upgrade step 40/67, CertMgmtUpgradeService(1.3.0.616)... % Error: ISE Global data upgrade failed!
    Rolling back the configuration database...
    Starting application after rollback...
    % Error: The node has been reverted back to its pre-upgrade state.
    % Application install or upgrade cancelled.
    I've also upgraded it to the latest patch and tried again but to no avail. This is an appliance (3415) that came shipped with 1.2. It's not been configured other than the initial cli wizard. I've upgraded a fair few appliances but I haven't seen this issue come up before. Any thoughts? 
    Thanks in advance for any info...

    If this is a test setup then you can do fresh ISE install.back up existing config and restore it to 1.3. If its production then contact TAC

  • Ise distributed deployment upgrade

    My customer has an ISE deployment with 4 nodes: Admin/Monitor Primary and Secondary plus 2 Policy Server. The Admin nodes are VMs, the Policy nodes are 3315 appliances.
    The system was installed almost three years ago with the version 1.1.0 ... It appears the system never had issues so never was patched or upgraded. Why fix something that is working fine?
    Today there was an issue because the certificates expired, so in the review to get the system up and running again, the update issue bring on to the conversation. We like to do an upgrade to the last supported version. So I wonder for some tips and ideas to take care for planning the upgrade.
    I have some doubts:
    Can the 3315 appliance support the release 1.3 without issues?
    I know the upgrade procedure is basically installing a .tar file, but I'm not clear how the process in a distributed deployment should be. I had run upgrades in standalone systems, but never in a distributed deployment. So, I need to upgrade the Primary Admin only and the other nodes would upgrade automatically?
    I would need to upgrade 1.1 to 1.2 first and then 1.2 to 1.3?
    I undertand release 1.1 was in 32 bits, and the version 1.2 and 1.3 are in 64 bits, so I guess the process would take a long time (perhaps a couple of hours), so a maintenance window would need 3 or 4 hours until the full system became stable.
    Can you give me some advice and suggestions to avoid major issues?
    Regards.
    Daniel Escalante.

    Can you give me some advice and suggestions to avoid major issues?
    Documents related to upgarde were given by Venkatesh refer those. Along with that additional information.
    Can the 3315 appliance support the release 1.3 without issues?
    Cisco ISE-3315-K9 (small) 3
    Supports ISE 1.3
    Any
    1x Xeon 2.66-GHz quad-core processor
    4 GB RAM
    2 x 250 GB SATA4 HDD5
    4x 1 GB NIC6
    I know the upgrade procedure is basically installing a .tar file, but I'm not clear how the process in a distributed deployment should be. I had run upgrades in standalone systems, but never in a distributed deployment. So, I need to upgrade the Primary Admin only and the other nodes would upgrade automatically?
    When upgrading to Cisco ISE, Release 1.2, first upgrade the secondary Administration node to Release 1.2. You do not have to manually deregister the node before an upgrade. Use the application upgrade command to upgrade nodes to Release 1.2. The upgrade process deregisters the node automatically and moves it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the license file for the Primary Administration node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example), contact the Cisco Technical Assistance Center for assistance.
    I would need to upgrade 1.1 to 1.2 first and then 1.2 to 1.3? I undertand release 1.1 was in 32 bits, and the version 1.2 and 1.3 are in 64 bits, so I guess the process would take a long time (perhaps a couple of hours), so a maintenance window would need 3 or 4 hours until the full system became stable
    If you are on a version earlier than Cisco ISE, Release 1.2, you must first upgrade to 1.2 and then to 1.3.
    You can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
    Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
    Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
    Cisco ISE, Release 1.1.2, with the latest patch applied
    Cisco ISE, Release 1.1.3, with the latest patch applied
    Cisco ISE, Release 1.1.4, with the latest patch applied
    Type of Deployment
    Node Persona
    Time Taken for Upgrade
    Standalone (2000 endpoints)
    Administration, Policy Service, Monitoring
    1 hour 20 minutes
    Distributed (25,000 users and 250,000 endpoints)
    Secondary Administration
    2 hours
    Monitoring
    1.5 hours
    After upgrading to ISE 1.2, upgrade to ISE 1.3
    Type of Deployment
    Node Persona
    Time Taken for Upgrade
    Standalone (2000 endpoints)
    Administration, Policy Service, Monitoring
    1 hour 20 minutes
    Distributed (25,000 users and 250,000 endpoints)
    Secondary Administration
    2 hours
    Monitoring
    1.5 hours
    Factors That Affect Upgrade Time
    Number of endpoints in your network
    Number of users and guest users in your network
    Profiling service, if enabled

  • ISE 1.1.1 to ISE 1.2 upgrade path for ISE node

    Hi,
    Currently in ISE deployment , we have  2 ISE nodes with 1.1.1.268 version  with latest patch,
    ISE nodes hold following  personas
    Node1 :  Admin, Monitoring ,  PSN
    Node 2 : PSN
    How will above deplyoment should be upgrade to 1.2 ?
    In which order they should be upgraded  ?   Any supporting doc covering above deployment for ISE 1.2 upgrade .

    Kindly check the following links for references
                   http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.pdf
                   http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.pdf
                   https://www.cisco.com/en/US/docs/security/ise/1.2/open_source_license/Cisco_Identity_Services_Engine_1.2_Open_Source_Documentation.pdf

  • ISE 1.3 Upgrade fails

    Hi All
    I did upgrades from 1.2.1.198 to 1.3. With one box (SNS-3495-K9) out of four I have a problem.
    I've tried it many times, I even made it to a standalone and did an application reset-config ise to initialize the box prior updating, but it always fails at step 40.
    - Data upgrade step 40/67, CertMgmtUpgradeService(1.3.0.616)... % Error: ISE Global data upgrade failed!
    Rolling back the configuration database...
    Starting application after rollback...
    % Error: The node has been reverted back to its pre-upgrade state.
    % Application install or upgrade cancelled.
    Any Idea ?
    Thanks Thomas

    Upgrade Failures
    During upgrade, the configuration database schema and data upgrade failures are rolled back automatically. Your appliance would return to the last known good state. If this is encountered, the following message appears on the console and in the logs:
    % Warning: The node has been reverted back to its pre-upgrade state.
    error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
    % Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
    In case of upgrade failures, before you try to upgrade again:
     Analyze the logs. Check the application bundle for errors.
     Identify and resolve the problem by submitting the application bundle that you generated to the Cisco Technical Assistance Center (TAC).

  • LDAP Issues with 4.1 upgrade - partial success

    All,
    I’ve spent the last few hours going through the forum and reading the documentation on LDAP authentication issues after upgrading to 4.1.
    I have completed every suggestion that has been posted and still no success.
    If I run the following from SQL Workshop I get a successful authentication
    declare
       l_session dbms_ldap.session;
       l_dummy   pls_integer;
    begin
       dbms_ldap.use_exception := TRUE;
       l_session := dbms_ldap.init('host.domain.com', 389 );
       l_dummy   := dbms_ldap.simple_bind_s(l_session, 'domain\user', 'password');
       dbms_output.put_line('authenticated');
       l_dummy   := dbms_ldap.unbind_s(l_session);
    exception when others then
       l_dummy := dbms_ldap.unbind_s(l_session);   
       raise;
    end;However if I run the APEX_LDAP.AUTHENTICATE using the same inputs it will not authenticate
    begin
    IF APEX_LDAP.AUTHENTICATE(
      p_username =>'domain\user',
      p_password => 'password',
      p_search_base => 'dc=domain,dc=com',
      p_host => 'host.domain.com',
      p_port => 389)
    THEN htp.p('authenticated');
    ELSE htp.p('not authenticated');
    END IF;
    End;Is a successful authentication using APEX_LDAP.AUTHENTICATE a prerequisite for the application to authenticate correctly, this is the only option I know to test the configuration?
    I have run the scripts to update the ACLs for user APEX_040100 and workspace schema user.
    Thanks in advance,
    Darin
    Apex 4.1
    Oracle 11.2g
    Active Directory

    If the simple_bind_s works that is sufficient proof that the network acl is okay, and so are your credentials. I'd not bother too much with apex_ldap since that integrates with OID, and if you don't have that it becomes pretty much worthless.
    So i assume that your authentication scheme is the pre-built LDAP one. Could you share some more (obscured i understand) details about how you have set up the details? Especially your "Distinguished Name (DN) String", "Use Exact Distinguished Name (DN)" (Yes/No), "LDAP Username Edit Function". I'm also assuming that you want users to log in with their login-username (samaccountname)?

  • ISE 1.3 upgrade issue

    Dears,
              We upgraded from 1.2.1 to 1.3 but many users can't get posture assessment and then stuck in quarantine state.
    Any help

    TAC advised there is a bug and we are waiting patch :(

  • OES11SP1 LDAP issue on a node

    Hi,
    I have a 2 node cluster that we have upgraded from OES11 to OES11 sp1 at the beginning of august
    Last week we create a new ressource on the primary node (let's say NODE 1), but when we want to migrate this new ressource to the other node (let's say NODE 2), the ressource became comatose.
    On node 2 what i can see in /var/log/messages is the following
    Aug 20 16:42:17 node2 ncs-resourced: Try LDAP for POOLDATA20_SERVER
    Aug 20 16:42:17 node2 ncs-resourced: LDAP failed: <class 'ldap.SERVER_DOWN'>
    Aug 20 16:42:53 node2 ncs-resourced: Error preprocessing script POOLDATA20_SERVER.load
    Aug 20 16:42:53 node2 ncs-resourced: POOLDATA20_SERVER.load: CRM: Tue Aug 20 16:42:53 2013
    Aug 20 16:42:53 node2 ncs-resourced: POOLDATA20_SERVER.load: /bin/sh: /var/run/ncs/POOLDATA20_SERVER.load: No such file or directory
    Aug 20 16:42:53 node2 ncs-resourced: resourceMonitor: POOLDATA20_SERVER load status=127
    Aug 20 16:42:54 node2 ncs-resourced: Error preprocessing script POOLDATA20_SERVER.unload
    Aug 20 16:42:54 node2 ncs-resourced: POOLDATA20_SERVER.unload: CRM: Tue Aug 20 16:42:54 2013
    Aug 20 16:42:54 node2 ncs-resourced: POOLDATA20_SERVER.unload: /bin/sh: /var/run/ncs/POOLDATA20_SERVER.unload: No such file or directory
    Aug 20 16:42:54 node2 ncs-resourced: resourceMonitor: POOLDATA20_SERVER unload status=127
    I try to change the configuration using a new.conf file liket it is in the documentation :
    CONFIG_NCS_CLUSTER_DN="cn=svr1_oes2_cluster.o=cont ext"
    CONFIG_NCS_LDAP_INFO="ldaps://10.1.1.102:636,ldaps://10.1.1.101:636"
    CONFIG_NCS_ADMIN_DN="cn=admin.o=context"
    CONFIG_NCS_ADMIN_PASSWORD="password"
    As the root user, enter the following command at a command prompt:
    /opt/novell/ncs/install/ncs_install.py -l -f new.conf on node1 and on node2
    and then cluster exec "/opt/novell/ncs/bin/ncs-configd.py -init"
    I reboot node2 but it is exaclty the same.
    Any idea ?
    Stphane

    Originally Posted by changju
    Hi Stphane,
    This is the key of the failure,
    Aug 20 16:42:17 node2 ncs-resourced: LDAP failed: <class 'ldap.SERVER_DOWN'>
    Somehow, looks like the Python LDAP on node2 couldn't connect the LDAP servers (10.1.1.102:636 or 10.1.1.101:636).
    Please first make sure that LDAP is up and running on the two servers.
    Please check file "/etc/opt/novell/ncs/clstrlib.conf" to make sure that you have something like this,
    p4
    S'ldaps://10.1.1.102:636,ldaps://10.1.1.101:636'
    If not, you need to modify file "new.conf" and run command "/opt/novell/ncs/install/ncs_install.py -l -f new.conf" on node2 again.
    You can then check the result of the installation in file "/var/opt/novell/install/ncslog", or you can simply run command "/opt/novell/ncs/bin/ncs-configd.py -init" on node2 to try to pull down the latest NCS configuration.
    If "/opt/novell/ncs/bin/ncs-configd.py -init" churns out a bunch of "dos2unix" messages (and pulls down the scripts for the new resources at "/var/opt/novell/ncs"), you should be able to migrate the resource.
    Regards,
    Changju
    Thank you very much Changju.
    I was not aware of this log file it was very helpfull.
    Apparently a tls issue for my 2 ldap server. I change it to ldap instead of ldaps and it is working now.
    Strange because i was able to connect using ldaps with ldap browser to the 2 nodes.
    Again, thank you
    Stphane

  • OBIEE 11g Security LDAP Issue

    Hi,
    I have an issue where certain LDAP users who were once able to log into OBI 11g now cannot.
    This has only happened for those users who I have used the proxy ('Act As') functionality on ie. If UserA can login, and the Administration Act's As UserA, after an OBI restart UserA cannot log in anymore.
    I have narrowed this issue down to the presenation catalog. If I swap the current catalog with the SampleAppLite catalog for example, the problem goes away i.e. the LDAP user (UserA in the example above) can log in fine.
    I have also noticed while accessing the catalog via catalog manager, the Administrator cannot access the 'System' folder. This is with reference to the original catalog (which causes the issue with UserA above) that was upgrade from 10g to 11g.
    Any ideas?
    Thanks.

    This is going to be almost impossible to diagnose without being logged in, in front of your application.
    As a starting point I would recommend you check the permissions on each catalog element. Go to Catalog link > Change view to 'Admin View' > Catalog Root and then use the permissions link for that item and everything below. Ticking 'Show Hidden Items' will let you see the System folders.
    Also check the privileges (Administration > Manage Privileges) as I seem to remember that the 'Act as Proxy' privilege is denied out of the box. Maybe something here is amiss.
    It might be easiest to bite the bullet and create a new web catalog from scratch!
    Paul

  • ISE Distributed System - AD join issue

    Hi,
    We have deployed 04 ISE nodes in the following senario. (ISE ver 1.1.2.245)
    1 ISE - Primary (A) Secondary (M)
    2 ISE - Primary (M) Secondary (A)
    3 ISE -  Policy Service (PDP)
    4 ISE -  Policy Service (PDP)
    When integrating with AD, we can only integrat to the 1 ISE only. NTP, Timezone, DNS working on all 04 boxes perfectly. We are getting the attached error while integrating AD with other ISE nodes.
    In the above senario, what ISE nodes should have the AD joined, only the PDP or all 04 nodes should have joined..?
    Can someone please advise. Please see the attached screenprints for the deployment and detailed error while joining to AD.
    Thanks in advance.

    Hi Neno,
    Below is the debug logs for AD joining. I can see the below two issues, but dont know how to find the solution..
    •1)      (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    •2)  SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state ProbePorts complete for hqv-dcs-02.xxx.gov.qa. Elapsed time 0.014737 secs
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.kerberos.keytab GetSaltFromKDC returns: xxx.GOV.QAAdmin-Asif
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.aduser getSalt update: user:[email protected] salt:xxx.GOV.QAAdmin-Asif
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:47 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Performing LDAP binding with GSSAPI mechanisms to server - hqp-dcs-01.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:53:49 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=Kerberos : SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm" (reference base/adbind.cpp:495 rc: -1765328228)
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST:reportFailure: hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DIAG  base.bind.ad connectToServiceInDomain: Failed to connect to hqp-dcs-01.xxx.gov.qa:389: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _ldap._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Attempting to connect to a DC in site 'xxxsite'
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Connecting to hqv-dcs-02.xxx.gov.qa:389
    Mar  3 09:54:04 xxx-TW-ISE-2 adjoin[27660]: DIAG  base.bind.ldap 10.0.11.52:389 fetch dn="" filter="(objectclass=*)" timeout=11
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG lrpc.adobject new object:
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Connected root=DC=xxx,DC=gov,DC=qa, domain=xxx.GOV.QA functionality=3
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Address of hqv-dcs-02.xxx.gov.qa is 10.0.11.52
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Performing LDAP binding with GSSAPI mechanisms to server - hqv-dcs-02.xxx.gov.qa
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findkdc KDC locator for xxx.GOV.QA
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domaincontroller: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.xxxsite._sites.xxx.gov.qa
    Mar  3 09:54:06 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST: SniffList: postfailsort=hqv-dcs-02.xxx.gov.qa, hqp-dcs-01.xxx.gov.qa
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=Kerberos : SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm" (reference base/adbind.cpp:495 rc: -1765328228)
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG network.state NST:reportFailure: hqv-dcs-02.xxx.gov.qa
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad connectToList: Failed to connect to hqv-dcs-02.xxx.gov.qa:389: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Cannot contact any KDC for requested realm"
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.osutil Module=LDAP : reconnect failed (reference base/adbind.cpp:785 rc: -11)
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG base.bind.ad Destroying binding to 'xxx.GOV.QA'
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting zonename to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting schema to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting zone to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.dc.xxx.gov.qa: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting domaincontroller to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting site to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting domain to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting prew2k.host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin Unexpected LDAP Error Connect error
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin  due to unexpected configuration or network error.
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG cli.adjoin Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: DEBUG util.settings Setting prew2k.host to
    Mar  3 09:54:21 xxx-TW-ISE-2 adjoin[27660]: INFO  cli.adjoin Join to domain 'xxx.gov.qa', zone 'null' failed.
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27666]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27666]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27668]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:23 xxx-TW-ISE-2 adinfo[27668]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:33 xxx-TW-ISE-2 adinfo[28164]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:33 xxx-TW-ISE-2 adinfo[28164]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:44 xxx-TW-ISE-2 adinfo[28172]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:44 xxx-TW-ISE-2 adinfo[28172]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:54 xxx-TW-ISE-2 adinfo[28900]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:54:54 xxx-TW-ISE-2 adinfo[28900]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:05 xxx-TW-ISE-2 adinfo[28905]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:05 xxx-TW-ISE-2 adinfo[28905]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:16 xxx-TW-ISE-2 adinfo[28907]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:16 xxx-TW-ISE-2 adinfo[28907]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:27 xxx-TW-ISE-2 adinfo[28911]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:27 xxx-TW-ISE-2 adinfo[28911]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:38 xxx-TW-ISE-2 adinfo[28913]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:38 xxx-TW-ISE-2 adinfo[28913]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:49 xxx-TW-ISE-2 adinfo[28920]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:55:49 xxx-TW-ISE-2 adinfo[28920]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:56:00 xxx-TW-ISE-2 adinfo[28988]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:56:00 xxx-TW-ISE-2 adinfo[28988]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)
    Mar  3 09:56:11 xxx-TW-ISE-2 adinfo[29010]: DEBUG util.except (IO) : Cannot open file /var/centrifydc/kset.domain: No such file or directory (reference util/setting.cpp:106 rc: 2)

  • Cisco ISE CPU/Memory Upgrade

    Hello Everyone,
    I have a Cisco ISE in Vmware environment and i need upgrade the cpu/memory in my Policy Service Node.
    How i can perform this? Its only increase the memory/cpu in vmware machine environment?
    Tks.

    Rafael,
    That would be what I would strongly recommend since it is not documented on what the best practices are from Cisco and with ISE database being sensitve to how the hard disk are presented, I would strong suggest starting fresh in order to rule out any stablity related issues (if you face them) in the future.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Can't make OD master - LDAP issue?

    So, I upgraded my 10.6 to 10.7 and also downloaded server with it.  I'm trying to turn my computer into an OD master. 
    I made my computer a DNS server - I can dig my IP and my FQDN.  No problems.
    When I go to make a OD master it tells me it failed and to go to the documentation (I don't see that online yet).
    When I go to Console and take a peek at my logs I start with a
    nstat_lookup_entry failed: 2
    And then I get several errors about LDAP server
    [PasswordServerPrefsObject getsearchbase]: Unable to locate search base: -1 Can't contact LDAP server
    [PasswordServerPrefsObject loadXMLdata]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
    Ther are another 10 similar complaints, and then the whole process fails with -1 when applying directory role change.
    Anyone have any ideas?  I keep hoping this is somehting easy I'm missing.......

    I am having this same issue after migration today! Anyone have a solution? My open directory is offline (according to server admin that I installed).
    That log says..
    Feb  4 07:33:11 server servermgrd[136]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    Feb  4 07:33:11 server servermgrd[136]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
    Feb  4 07:33:11 server servermgrd[136]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    Feb  4 07:33:11 server servermgrd[136]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
    In directory utiltiy my LDAP didn't move in the migration...however, when I set it up...still doesnt work....
    Anyone know the secret sauce?

  • ISE 1.2 Posture Update Issue

    In ISE 1.2 below message is showing when we do a web posture update either manual or automatic.
    "Remote address is not accessible. Please make sure update feed url, proxy address and proxy port are properly configured".
    It was working fine for long time and all of a sudden it stopped working
    and no changes have made on the network side.
    https://www.cisco.com/web/secure/pmbu/posture-update.xml is working in the browser.
    Few customers had reported the same. Boxes are installed with latest patch version 7.
    We can upload the updates through offline mode.

    I have experienced the same issue. Both the posture update feed URLs 
    1. https://www.cisco.com/web/secure/pmbu/posture-update.xml
    2. https://www.perfigo.com/ise/posture-update.xml
    give the same error, when the ISE boxes try to do the updates. But these URLs are accessible from outside.
    A TCP dump taken from a box shows as "Certificate unkown Alert " (when it tries to update) for the received certificate from the other end. Then the ISE box sends a (FIN,ACK) and terminates the session.
    The relevant pcap file is attached

  • After ISE 1.2 upgrade I get "5413 RADIUS Accounting-Request dropped."

    Hello,
    I have a two admin node setup for ISE. I just upgraded one of my two ISE Admin nodes to Version 1.2. I still have one of my admin  nodes at 1.1.4. When I disable my Version 1.1.4 node and allow wireless authentications to be handled by the Version 1.2 node I get the message..."5413 RADIUS Accounting-Request dropped". None of my wireless edge devices will be allowed on the network during this time. When I re-enable my 1.1.4 node my wireless devices are then allowed on the network.
    I am currently using ISE to authenticate wireless connectivity.
    I also get the failure reason... "11038 RADIUS Accounting-Request header contains invalid Authentication field".
    Any ideas?
    Bob

    The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching.  Just turning off wireless and back on doesn't do it.  Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients.  What type of certificate is presented, public or private?

Maybe you are looking for

  • How to create a link on a biller direct screen for downloading a pdf file

    Hi, My requirement is to create link on biller direct screen, when I click on that link a pdf document will be downloaded in local system. I need help on that

  • App Store won't open on OS X Yosemite 10.10.2

    I recently updated my mac to OS X Yosemite Version 10.10.2 and during this a power cut happened. When I had finally got power back and turned on my mac it when to installing the new update as if I had just brought the mac brand new and was turning it

  • Please explain this to me?

    Ok, so i have had numerous faults on my line since i moved into my house 21st March 2011, due to these my services that i have subscribed to havent worked properly. Yesterday the engineer called out so thats almost 2 weeks without these services and

  • FEBAN change of document type

    Hi Fi guys, Can anyone tell me if is is possible to change the document type, when posting from FEBAN ?. It is possibe ein FEBA, but I cannot find the way to do it in FEBAN. Please adcvice, thanks Best regards Pernille

  • C6150 won't print after upgrade from Vista to Win 7

    Hello. I have a C6150 AIO that worked fine under Vista.  Since I've upgraded to Win 7, I cannot get a printout from any application or the Windows test print.  The HP Solution Center test print works fine. -  Printer is hooked up wirelessly -  I've i