Ise node not becoming standalone after deregistration

I am seeing a weird problem.
I deregistered secondary admin/monitor node from primary admin/monitor node. I see successfully deregistered message.
But the deregistered node is still showing SEC(A) and SEC(M). It is not changing to standalone mode.
This is disrupting the upgrade of distributed deployment of ISE nodes.
Any clues?

Bug details:
Secondary node never becomes standalone after de-registration
The secondary node is de-registered successfully but a "The following deregistered nodes are not currently reachable: . Be sure to reset the configuration on these nodes manually, as they may not revert to Standalone on their own." message appears to the administrator.
Workaround   Log in to the administrator user interface with internal Cisco ISE administrator credentials when de-registering a node.
Actually we had two accounts in web gui, nodes were registered using one account and during upgrade, i used different account , which triggered this bug.

Similar Messages

  • ISE NODE NOT REACHABLE when building distributed deployment

    I am trying to build a distributed deployment with the following personas:
    2 policy admin nodes
    2 monitoring nodes
    4 policy service nodes
    This was a project that was partially implemented but never in production. It was in a distributed deployment, but half the nodes were no longer working (http errors or devices weren't reachable or could not sync). I decided to start from scratch. All nodes were:
    -de-registered
    -application was reset to factory defaults on all nodes
    -upgraded all 8 nodes to 1.1.4.218 patch 1
    -installed all new certs and joined all nodes to the domain
    -added to DNS forward and reverse lookup zones
    When I make 1 admin node primary and register the other nodes (secondary admin, monitoring, policy services) the nodes successfully register and show up in the deployment window of the primary; however, all the nodes show as NODE NOT REACHABLE. After registration, I've noticed that the registered nodes are still showing as STANDALONE if I access the GUI. I've tried rebooting them manually after registration and they are still unreachable. I have also tried resetting the database user password from the CLI on both admin nodes and the results are always the same.

    Originally I had added them all at the same time. I thought that maybe I just wasn't waiting long enough for the sync. I waited an entire day and all the nodes were still unreachable. At this point, I've de-registered all the nodes, rebooted all the nodes, converted the primary back to standalone (the remaining nodes never converted from standalone to distributed even when I rebooted them after registering despite a message that they were successfully registered), converted one node back to primary and tried to register just the secondary admin node giving it plenty of time to sync; this node is still not reachable from the primary.
    I've quadruple checked the certificates on all the nodes, these certs were all added on the same day (just last week) and the default self-signed certs were removed.
    I had restored from a backup on the primary so I might just rest the config on that node and try joining the other nodes before I restore again.

  • ISE Nodes both become Primary

    Hi,
    We are deploying 2 x 3415 ISE appliances for a customer as a Primary/Secondary admin cluster. We are running Version 1.2.0.899-5-93975. Everything was going to plan with the deployment and when we manually promoted the Secondary all worked well. We then attempted some testing prior to going into production. We simulated a switch port failure which in effect isolated our Primary ISE. We then promoted our Secondary ISE and resolved the switch issue so we then had both ISE's as Primary Admins. It would be good at this point to simply 'demote' the Secondary back to Secondary but this is not an option. We tried to break the cluster by de-registering the Secondary from the Primary. We then got into a situation where we couldn't fully break the cluster and the end result is that the secondary is showing a 500-Internal error (see attached) and we are unable to browse to the GUI. I suspect I need to re-image the secondary now and re-join it back to the cluster.
    Is there anything documented as to how recover a situation when both appliances become Primary? You would think this should be fairly straightforward. Also has anyone come across the 500-Internal error when attempting to Log into the appliance and if so how did you resolve. From CLI all services are running.
    Any assistance/guidence would be appreciated,
    Dean

    I have the same scenario as yours:  ise1 is primary Admin/MNT and ise2 is secondary Admin/MNT.  ise1 ip address is 192.168.1.1/24 and ise2 is 192.168.1.2/24.  They are both on the same subnet.
    simulate a disaster: shutdown the switchport that ise1 is connected to.
    1- manually promote ise to primary Admin/MNT.  After that make a bunch of changes to ise2.
    2- bring back ise1.  At this point, both ise1 and ise2 are shown as Primary Admin
    3- from the WebUI in ise2, highlight ise and hit the button "sync-up".  That will force ise1 to become Secondary Admin
    4- Once everything is sync'ed, log into the ise1 WebUI and manually promote ise1 to be Primary Admin/MNT again.
    Does that make sense?

  • ToDos do not become hidden after completed?

    Inside of iCal there's a setting to "hide the todo after XX amount of days" .... is there an equivalent in Mail, since the ToDos are synchronized between the two?
    What's happening for me is that my Mail ToDos keep getting longer despite having finished the ToDos long ago, and checking them off long ago (either in Mail or iCal).

    AFAIK, nothing like this exists in Mail. I suggest you delete old completed ToDos.

  • ISE does not register nodes - (blank pop-up window)

    Hello everyone !
    There CiscoISE 1.1.4.218 (all 8 patches) consisting of 6 nodes (2 admin, 2 monitors, 2 policy) on virtual machines.
    When testing failover between policy node, one of policy nodes has been removed from scheme of deployment. The  result of attempting to register this node is the blank warning pop-up  window, progress of registration stops without registration of policy  node (screenshot in attachment). The same
    thing  happens when I try to register a secondary monitoring nodes (that was  removed earlier, like in the case with police node). I  also attach a portion of log file taken from admin node (CLI) in the  moment of attempts registration of police / monitoring nodes.
    In the DNS is ok (defined in both side), all certificates are valid.
    Maybe somebody has already found a similar mistake ?
    Sincerely,
    Andrey

    Please check the following Prerequisites
    The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
    •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
    •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
    •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
    •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
    •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
    •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
    •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

  • ISE node registering after change domain-name

    At Customer Site I changed the domain name of our 4 ISE server before they were registered to any deployment. I regenerated a self signed certificate and started to register the other nodes to the deployment. This went well for the 2 PSN nodes which have a ip address in a different subnet. I tried to register the presumed secondarry PAN/MnT node and got the following error message "
    Node beiing registerd has FQDN 'ISE-PAN-AP02.office.intern' which cannot be resolved. Please check your DNS configuration."
    My DNS config is in order.
    Can anyone please tell me want possible can be the cause of this?

    Please check these Prerequisites:
    The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
    •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
    •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
    •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
    •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
    •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
    •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
    •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

  • Getting Error while registering ISE Node

    Hi All,
    I am getting below error.
    Communication failure with the host 162.12.95.167. Please check the information for the target machine, or if the target machine is accessible and try again.                
    I am Able to ping as well from primary node
    Output of ping:
    PING 162.12.95.167 (162.12.95.167) 56(84) bytes of data.
    64 bytes from 162.12.95.167: icmp_seq=1 ttl=58 time=1.02 ms
    64 bytes from 162.12.95.167: icmp_seq=2 ttl=58 time=1.05 ms
    64 bytes from 162.12.95.167: icmp_seq=3 ttl=58 time=1.05 ms
    64 bytes from 162.12.95.167: icmp_seq=4 ttl=58 time=0.955 ms
    64 bytes from 162.12.95.167: icmp_seq=5 ttl=58 time=1.02 ms
    --- 162.12.95.167 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4000ms
    rtt min/avg/max/mdev = 0.955/1.019/1.051/0.053 ms

    Hello Sachin-
    Couple of questions:
    1. Is there a firewall between the two nodes that you are trying to cluster? If yes, then have you confirmed that all of the necessary ports and protocols are opened between them?
    2. What version of ISE are you using
    3. Can you confirm that both devices are added in DNS and that both devices can ping each other via their FQDNs
    On a side note here are the prerequisites for clustering nodes:
    • The fully qualified domain name (FQDN) of the standalone node that you are going to register, for
    example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.
    Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes
    that are part of your distributed deployment in the DNS server.
    • The primary Administration ISE node and the standalone node that you are about to register as a
    secondary node should be running the same version of Cisco ISE.
    • You must configure the Cisco ISE Admin password at the time you install the Cisco ISE. The
    previous Cisco ISE Admin default login credentials (admin/cisco) are no longer valid.
    • Use the username/password that was created during the initial Setup or the current password, if it
    was changed later.
    • The DB passwords of the primary and secondary nodes should be the same. If these passwords are
    set to be different during node installation, you can modify them using the following commands:
    – application reset-passwd ise internal-database-admin
    – application reset-passwd ise internal-database-user
    • You can alternatively create an administrator account on the node that is to be registered and use
    those credentials for registering that node. Every ISE administrator account is assigned one or more
    administrative roles. To register and configure a secondary node, you must have either the Super
    Admin or System Admin role assigned. See Cisco ISE Admin Group Roles and Responsibilities for
    more information on the various administrative roles and the privileges associated with each of
    them.
    • If you plan to register a secondary Administration ISE node for high availability, we recommend
    that you register the secondary Administration ISE node with the primary first before you register
    other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart
    the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
    • If you plan to register multiple Policy Service ISE nodes running Session services and you require
    mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group.
    You must create the node group first before you register the nodes because you must select the node
    group to be used on the registration page.
    “Creating, Editing, and Deleting Node Groups”
    section on page 9-21 for more information.
    • Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate
    Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the
    standalone node (that you are going to register as the secondary node).
    Thank you for rating!

  • Ise node is not reachable after upgrading 1.2

                       Hi, I was using beta version of ISE with 1.2.834 code. and now the official release came out so I upgraded it.
    after that, the ISE is not communicating with AD, and when I go to download logs, It says node is not reachable even though it is STANDALONE mode.
    does anyone know how to work around this ?
    should I just delete everything and go from scratch ?

    The ISE is not communicating to the AD, So, you have to rejoin the domain. For this purpose please follow the following actions:
    Go to Administration > Identity Management > External Identity Stores and select Active Directory from the left-hand pane.
    Click Join at the bottom of the configuration page:
    Also please check the LDAP port

  • ISE 1.1.3.124 secondary node not reachable after registration

    G'day All,
    I'm constantly seeing that the sync and replication status for my secondary admin/monitor node in the primary node as node not reachable. The secondary still thinks it is in standalone mode. When I run the ISE diag tool connectivity tests I am able successfully ping the devices from each other using both hostname and ip and the nslookup also works fine between both nodes. Ping and nslookups also work from different networks within the environment. The two nodes are in the same vlan on a 6500 vss pair but on different switches of the pair. I'm new to ISE so any help is greatly appreciated.
    Thanks All.
    JS
    Sent from Cisco Technical Support iPhone App

    Hi Saurav,
    Thanks for your prompt repsonse...
    I have worked through that section of the document. The registration completes successfully, I've got NTP sync on both nodes and the system time on both nodes is identical.
    I am only using the self signed certificates, but following the user guide instructions I have imported the secondary's cert into the primary node.
    Just as of about 30 minutes ago, I saw an alarm on the Secondary ISE node stating that a Slow or Stuck Replication has been detected...
    As I said in the original post, I can ping the fqdn's from each other so it appears that the DNS requirements have been satisfied.
    I've changed the admin account password, I am certain that the ISE DB passwords are correct and the same on both nodes and the timezones for both nodes is the same also....
    It looks to me that registration is fine, but the first full replication isn't completing successfully
    Thanks,
    JS

  • NODE-NOT-REACHABLE on ISE

    Primary ISE node (Serving Admin and Monitor personas) is showing two of the PSNs as "NODE-NOT-REACHABLE" under Replication Status on Deployment page on GUI. It can ping the PSNs and PSNs are actually registered to the Primary admin/monitor node. How can I fix this?
    Thanks,
    Kashish

    Hi,
    I found the issue on ny network and it was due to a different dns record.
    Simple way to check is issuing a dns lookup from admin node cli of the problem node. Then repeat from problem node attempting to resolve admin node.
    Then if that looks good you can issue the command on both nodes...
    Show logging application ise tail,
    That output should give you a listing of the nodes in the ise deployment and the ip addresses of each node.
    Thanks.
    Sent from Cisco Technical Support Android App

  • Cisco ISE deregister node not available

    Hello,
    I installed two ISE node and registered the second node. Yesterday I saw an error message: Sync failed, deregister and register the second node.
    I deregistered the second node and tried register again, but not worked. Now, the second node is showing in the first node but I can not deregister or register again, how I can deregister the second node to register again?

    This seems to be an issue with invalid certificates. Have you already checked the certificates on both the sides. Also restart the services of secondary nodes one and check again.
    As a next step, we need to look inside ise-psc.logs to further troubleshoot this issue.
    Regards,
    Jatin Katyal
    **Do rate helpful posts**

  • Iphone 6 become mute after reboot or turn off, this not happen to my Iphone 5, how to fix it?

    My Iphone 6 become mute after reboot , I always unmute after reboot it. This is not happen on my Iphone 5, how to fix it?

    Use the side control and put your phone on ringer instead of mute.

  • After purchasing the Auto-Renewable subscription, the latest issue did not become available

    Hi, I have a problem with my app: After purchasing the Auto-Renewable subscription, the latest issue did not become available for download/reading.
    These are the steps I done:
    1. I selected one of the options for subscribe
    2. Gone through In App Purchase
    3. After going through the In App Purchase, app updates the library
    4. After updating the library, the latest issue, is not available for download. It still has "Buy" button
    The ios certificates seems ok (redone many times), same steps of other 3 apps I already done.
    The In-app purchase Product ID are the same in the iTunes Connect and in the app through Viewer Builder (latest version with v19 tools)
    In Adobe dashboard the shared secret are set properly, paywall disabled
    Somebody had the same problem and can help me? I don't know really what else I can do
    Thanks in advance

    Today in iTunes Connect create a new in-app and auto-renewable subscription with a new id, rebuild the app with v20 tools and the new in-app purchase ids, delete the free issue and the in-purchase issue in the adobe dashboard and upload from my original indesign files again (the free with date for pubblication yesterday the other with today date), tested all in the sandbox and... everything works fine, after the subscription purchase the button became "download". I was happy and I sent the new app to Apple again (fourth time) for the approval. After only few hours later Apple start the review (this was amazing because it usually takes at least 5 days). One hour later I receive the "reject" state again
    After purchasing the Auto-Renewable subscription, the latest issue did not become available for download/reading. Please see below for the steps to reproduce the issue:
    1. Launch app
    2. Tap Subscribe
    3. Select any of the options for subscribe, for example, 3-month subscription as shown in the screenshot 0496
    4. Go through In App Purchase
    5. After going through the In App Purchase, app updates the library
    6. After updating the library, the latest issue, in this case 327 - Maggio 2012, is not available for download. It still has "Buy" button as shown in the screenshot 0497
    Now the question is: why on my 2 ipads worked well but apple find again the same error?
    Where's the problem? I really need help from some Adobe experts, the "Gold support" don't really support me at all... I wrote a long email with all the details and the answer was one line and after my answer they disappeared ...
    In this case unpublish folio and change publication date manually from folio producer and then republish it.
    Please follow below link:
    http://helpx.adobe.com/digital-publishing-suite/kb/subscription-fail-ios-renditions.html

  • HT4623 i have dought if my iphone 4 will not work properly, as i heard it become slow after update ios7 , can someone help me out what to do.. ?

    i have dought if my iphone 4 will not work properly, as i heard it become slow after update ios7 , can someone help me out what to do.. ?

    Hello there, morganbailey02.
    The following Knowledge Base article provides some great steps for troubleshooting your issue:
    iOS: Unable to update or restore
    http://support.apple.com/kb/HT1808
    Thanks for reaching out to Apple Support Communities.
    Cheers,
    Pedro

  • Error while registering ISE node

    Getting this error while trying to register a newly built standalone VM node  on primary admin node.
    'admin' is not authorized to register ISE Node <node name>. Please check the credentials and/or privileges.
    admin is the only account on the newly built VM node and admin has full privileges on primary admin node as well. I have done the registering process before as well and this is the first time I have seen this error... Any thoughts?

    Hello Kashish,
    Though I assume its been almost a week's time and you might have solved this by now, but it may help others facing similar problem
    When a node is registered with the primary, the primary node would  connect with the node to be registered and the primary node itself needs  to authenticate against that node which is to be registered.
    You need to specify the Admin user password of the ISE node that you  want to register. Make sure by logging on to the Web UI of the ISE node  you want to register that you have the admin user password. Otherwise  you should create / reset admin user for web UI of the node to be  registered.
    Regards,
    Ashok

Maybe you are looking for

  • Online Training Classes

    Hello, I am looking for training with the creative cloud. Are there any online classes that go along with my subscription? I'm not talking about simple training videos - I need full training for my employees. Perhaps an online seminar? Thanks!

  • Recording to another track - from source track through effects

    I am trying to record from track 6 to track 7. I am processing a pitch-fix through the Antares 5 pitch correction plugin that is on track 6. I added Antares 5 insert to track 6 as an insert. Next I chose the BUS 1 send from track 6 so that I can send

  • ADF: Hide expendable icon in Master-Detail treetables

    Hello, We are using a treetable in order to display Master-detail data. The problem here is that not all the master (parents) rows have details (childs). In fact we do not want to display the expandable symbol for the master rows which do not have ch

  • Attaching same style in Standard text as well as adobe form

    Hi Experts, I have created 2 styles. One in se72 and second one in smatstyles. But when i use 1st one in standard text, i can't see this style in adobe form to attach. And 2nd one i can see it in adobe form but i can't see in standard text. I want on

  • Clock stops on Pre 2

    A search reveals major issues with the internal clock in many Palm products but I cannot find any for the Pre 2 / WebOS 2.x. My problem is that every time I turn off the screen the clock stops. Network time on or off makes no difference. The clock wo