Primary administration ISE nodes failed

Hi All,
I'm going to implement 3 ISE with destributed deployment, 1 ISE will configured as Administration & Monitoring node, and the others as dedicated Policy Service node.
My questions are :
1. If the Administration & monitoring node failed, are the authentication, authorization and posture still can be running well on the client ?
2. Can we promote the dedicated Policy Service Node as  the new administration & monitoring nodes ? If can, how the procedure for promoting it? it's just as simple as promoting the secondary nodes (in case we have primary and secondary nodes) or there is others effort, such as must restoring the database or etc?
Thanks?
Regards,
Rian

Hi,
When the primary administration node fails. The psns will still continue to function and enforce policies.
Since you have a single administration node and if the that node has to be rebuilt, all other nodes will also have to be reset to factory then re registered once the primary node is ready again.
In that case you can open a tac case yo have them assist in pulling your database from one of the psn nodes.
As always this is my observations and what I would do if I was in the situation, we can wait for a cisco engineer to respond or you can post this question in a tac case to make sure there isn't an upcoming feature which addresses this scenario.
Sent from Cisco Technical Support Android App

Similar Messages

  • ISE node registering after change domain-name

    At Customer Site I changed the domain name of our 4 ISE server before they were registered to any deployment. I regenerated a self signed certificate and started to register the other nodes to the deployment. This went well for the 2 PSN nodes which have a ip address in a different subnet. I tried to register the presumed secondarry PAN/MnT node and got the following error message "
    Node beiing registerd has FQDN 'ISE-PAN-AP02.office.intern' which cannot be resolved. Please check your DNS configuration."
    My DNS config is in order.
    Can anyone please tell me want possible can be the cause of this?

    Please check these Prerequisites:
    The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.  Otherwise, node registration will fail. You must enter the IP addresses  and FQDNs of the ISE nodes that are part of your distributed deployment  in the DNS server.
    •The  primary Administration ISE node and the standalone node that you are  about to register as a secondary node should be running the same version  of Cisco ISE.
    •Node  registration fails if you provide the default credentials (username:  admin, password: cisco) while registering a secondary node. Before you  register a standalone node, you must log into its administrative user  interface and change the default password (cisco).
    •You  can alternatively create an administrator account on the node that is  to be registered and use those credentials for registering that node.  Every ISE administrator account is assigned one or more administrative  roles. To register and configure a secondary node, you must have one of  the following roles assigned: Super Admin, System Admin, or RBAC Admin.  See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
    •If  you plan to register a secondary Administration ISE node for high  availability, we recommend that you register the secondary  Administration ISE node with the primary first before you register other  Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence,  you do not have to restart the secondary ISE nodes after you promote the  secondary Administration ISE node as your primary.
    •If  you plan to register multiple Policy Service ISE nodes running Session  services and you require mutual failover among those nodes, you must  place the Policy Service ISE nodes in a node group. You must create the  node group first before you register the nodes because you need to  select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
    •Ensure  that the Certificate Trust List (CTL) of the primary node is populated  with the appropriate Certificate Authority (CA) certificates that can be  used to validate the HTTPS certificate of the standalone node (that you  are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
    •After  registering your secondary node to the primary node, if you change the  HTTPS certificate on the registered secondary node, you must obtain  appropriate CA certificates that can be used to validate the secondary  node's HTTPS certificate and import it to the CTL of the primary node.  See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.

  • Getting Error while registering ISE Node

    Hi All,
    I am getting below error.
    Communication failure with the host 162.12.95.167. Please check the information for the target machine, or if the target machine is accessible and try again.                
    I am Able to ping as well from primary node
    Output of ping:
    PING 162.12.95.167 (162.12.95.167) 56(84) bytes of data.
    64 bytes from 162.12.95.167: icmp_seq=1 ttl=58 time=1.02 ms
    64 bytes from 162.12.95.167: icmp_seq=2 ttl=58 time=1.05 ms
    64 bytes from 162.12.95.167: icmp_seq=3 ttl=58 time=1.05 ms
    64 bytes from 162.12.95.167: icmp_seq=4 ttl=58 time=0.955 ms
    64 bytes from 162.12.95.167: icmp_seq=5 ttl=58 time=1.02 ms
    --- 162.12.95.167 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4000ms
    rtt min/avg/max/mdev = 0.955/1.019/1.051/0.053 ms

    Hello Sachin-
    Couple of questions:
    1. Is there a firewall between the two nodes that you are trying to cluster? If yes, then have you confirmed that all of the necessary ports and protocols are opened between them?
    2. What version of ISE are you using
    3. Can you confirm that both devices are added in DNS and that both devices can ping each other via their FQDNs
    On a side note here are the prerequisites for clustering nodes:
    • The fully qualified domain name (FQDN) of the standalone node that you are going to register, for
    example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.
    Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes
    that are part of your distributed deployment in the DNS server.
    • The primary Administration ISE node and the standalone node that you are about to register as a
    secondary node should be running the same version of Cisco ISE.
    • You must configure the Cisco ISE Admin password at the time you install the Cisco ISE. The
    previous Cisco ISE Admin default login credentials (admin/cisco) are no longer valid.
    • Use the username/password that was created during the initial Setup or the current password, if it
    was changed later.
    • The DB passwords of the primary and secondary nodes should be the same. If these passwords are
    set to be different during node installation, you can modify them using the following commands:
    – application reset-passwd ise internal-database-admin
    – application reset-passwd ise internal-database-user
    • You can alternatively create an administrator account on the node that is to be registered and use
    those credentials for registering that node. Every ISE administrator account is assigned one or more
    administrative roles. To register and configure a secondary node, you must have either the Super
    Admin or System Admin role assigned. See Cisco ISE Admin Group Roles and Responsibilities for
    more information on the various administrative roles and the privileges associated with each of
    them.
    • If you plan to register a secondary Administration ISE node for high availability, we recommend
    that you register the secondary Administration ISE node with the primary first before you register
    other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart
    the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
    • If you plan to register multiple Policy Service ISE nodes running Session services and you require
    mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group.
    You must create the node group first before you register the nodes because you must select the node
    group to be used on the registration page.
    “Creating, Editing, and Deleting Node Groups”
    section on page 9-21 for more information.
    • Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate
    Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the
    standalone node (that you are going to register as the secondary node).
    Thank you for rating!

  • ISE admin , PSN and monitoring node fail-over and fall back scenario

    Hi Experts,
    I have question about ISE failover .
    I have two ISE appliaces in two different location . I am trying to understand the fail-over scenario and fall-back scenario
    I have gone through document as well however still not clear.
    my Primary ISE server would have primary admin role , primary monitoring node and secondary ISE would have secondary admin and secondary monitoring role .
    In case of primary ISE appliance failure , I will have to login into secondary ISE node and make admin role as primary but how about if primary ISE comes back ? what would be scenario ?
    during the primary failure will there any impact with users for authentication ? as far as PSN is available from secondary , it should work ...right ?
    and what is the actual method to promote the secondary ISE admin node to primary ? do i have to even manually make monitoring node role changes ?
    will i have to reboot the secondary ISE after promoting admin role to primary  ?

    We have the same set up across an OTV link and have tested this scenario out multiple times. You don't have to do anything if communication is broken between the prim and secondary nodes. The secondary will automatically start authenticating devices that it is in contact with. If you promote the secondary to primary after the link is broke it will assume the primary role when the link is restored and force the former primary nodes to secondary.

  • Ise node not becoming standalone after deregistration

    I am seeing a weird problem.
    I deregistered secondary admin/monitor node from primary admin/monitor node. I see successfully deregistered message.
    But the deregistered node is still showing SEC(A) and SEC(M). It is not changing to standalone mode.
    This is disrupting the upgrade of distributed deployment of ISE nodes.
    Any clues?

    Bug details:
    Secondary node never becomes standalone after de-registration
    The secondary node is de-registered successfully but a "The following deregistered nodes are not currently reachable: . Be sure to reset the configuration on these nodes manually, as they may not revert to Standalone on their own." message appears to the administrator.
    Workaround   Log in to the administrator user interface with internal Cisco ISE administrator credentials when de-registering a node.
    Actually we had two accounts in web gui, nodes were registered using one account and during upgrade, i used different account , which triggered this bug.

  • Best Practise for rebooting ISE Nodes?

    Hello Community,
    I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.
    (Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)
    I would shutdown ISE02, move it to our new VMWare environment and start it again.
    Than I would do this with our ISE01 Node...
    Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?
    Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?
    Any tasks after reboot?
    Thank you for any answer!
    ISE01    
    Administration, Monitoring, Policy Service    
    PRI(A), SEC(M)
    ISE02    
    Administration, Monitoring, Policy Service    
    SEC(A), PRI(M)

    There is a lot to consider here.  If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things.  If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment.  Then spin-up a new Secondary node and register it on the Primary.  Once this is done, you can re-host the license from your old environment onto your new environment.  You can use this tool to re-host:
    https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999
    If IP Addressing is to remain the same, it gets simpler. 
    First, and always, perform a configuration and operational backup.
    If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes.  Transfer them to the New Environment and turn them on, Primary Node first, of course.
    If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment.  Start the Secondary Node and when it is up, shut down the Primary Node.  Once services on the primary node have stopped, promote the Secondary Node to Primary Node.
    Transfer the OLD Primary Node to the New Environment and turn it on.  It should assume the role of Secondary Node.  If it does not, assign that role through the GUI.
    Remember, the correct way to shut down an ISE node is:
    application stop ise
    halt
    By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Error while registering ISE node

    Getting this error while trying to register a newly built standalone VM node  on primary admin node.
    'admin' is not authorized to register ISE Node <node name>. Please check the credentials and/or privileges.
    admin is the only account on the newly built VM node and admin has full privileges on primary admin node as well. I have done the registering process before as well and this is the first time I have seen this error... Any thoughts?

    Hello Kashish,
    Though I assume its been almost a week's time and you might have solved this by now, but it may help others facing similar problem
    When a node is registered with the primary, the primary node would  connect with the node to be registered and the primary node itself needs  to authenticate against that node which is to be registered.
    You need to specify the Admin user password of the ISE node that you  want to register. Make sure by logging on to the Web UI of the ISE node  you want to register that you have the admin user password. Otherwise  you should create / reset admin user for web UI of the node to be  registered.
    Regards,
    Ashok

  • ISE Node Failure & Pre-Auth ACL

    Hi All,
    I would like to know that, what should be the best practice configuration for following points,
    1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.
    2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?
    Here is the port configuration and pre-auth ACL which I am using in my network,
    Interface Fa0/1
    switchport access vlan 30
    switchport mode access
    switchport voice vlan 40
    ip access-group ISE-ACL-DEFAULT in
    authentication event fail action authorize vlan 30
    authentication event server dead action authorize vlan 30
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation protect
    mab
      dot1x pae authenticator
    dot1x timeout tx-period 5
    ip access-list extended ISE-ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS and Domain Controllers
    permit ip any host 172.22.35.11
    permit ip any host 172.22.35.12
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Deny All
    deny   ip any any log
    Thanks & Regards,
    Mujeeb

    Hi,
    I am using following configuration on the ports,
    Interface Fa0/1
    switchport access vlan 30
    switchport mode access
    switchport voice vlan 40
    ip access-group ISE-ACL-DEFAULT in
    authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?
    authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
    authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
    authentication host-mode multi-domain
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation protect
    mab
      dot1x pae authenticator
    dot1x timeout tx-period 5
    Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??
    ip access-list extended ISE-ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS and Domain Controllers
    permit ip any host 172.22.35.11
    permit ip any host 172.22.35.12
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Deny All
    deny   ip any any log
    Thanks

  • ISE - posture fails

    Hello,
    I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)
    Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?
    Best regards,
    Kreso

    Hi Mohammed,
    as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.
    Try exporting the root CA certificate (not the one issued to the ISE node by the CA,  but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.
    You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:
         # openssl x509 -in cert1.pem -inform DER -text
         unable to load certificate
    following some ASN error messages. To convert it use the following command:
         openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem
    Now you can read cert data using the command:
         openssl x509 -inform pem -in cert2.pem -noout -text
    The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.
    HTH,
    Kreso

  • ISE....uh.......No response from ISE node again...

    What is up with No Response from ISE Node ??
    Even though it sounds like the PSN node can't communicate with AD, it does authenticate and retrieving Groups, and attrbitues.
    How can I fix this ?
    why is it saying 'No Response from ISE Node ?

    Hi,
    Communication is fine between all ISE nodes, replications is COMPLETE for all nodes.
    I am running 1.1.4.218 with Patch 4 on all servers.
    I have 4 servers in my 8 servers-deployment that are in that strange AD status.
    The command "show logging application ise tail" does not show bad things. The DisplayName is always equal to the HostName which is the same as the HostAlias (with the domain name). Please see below.é
    Any ideas ?
    David
    Wed Sep 04 11:49:44 CEST 2013 : Poller wakeup...
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gcncsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gcncsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 9cec53f0-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gcncsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gcncsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 9cec53f3-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 9cec53f2-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 9cec53f1-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.97.32.223
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 9cec53f4-151f-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gcncsl0001ise.na.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gcncsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gjucsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gjucsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 346a29c0-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gjucsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gjucsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 346a29c1-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.32.67.223
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.254.0
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 346a29c2-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 346a29c3-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 346a29c4-1177-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gjucsl0001ise.ap.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gjucsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gmicsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gmicsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : af067300-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gmicsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gmicsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : af067304-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : af067302-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : af067301-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.96.67.223
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.252.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : af067303-10b4-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gmicsl0001ise.na.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gmicsl0001ise.na.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gsrcsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gsrcsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 305e3f30-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gsrcsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gsrcsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 305e3f31-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.32.128.223
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 305e3f32-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 305e3f34-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 305e3f33-147c-11e3-86da-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gsrcsl0001ise.ap.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gsrcsl0001ise.ap.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : cf0e4260-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0001ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0001ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : unknown
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : STANDBY
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PAP MNT
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : PRIMARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : cf0e4262-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : cf0e4263-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : cf0e4264-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : cf0e4261-b1a3-11e2-87c5-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : 10.71.142.9
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com is an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com has HA status STANDBY
    Wed Sep 04 11:49:45 CEST 2013 : Enabling propagation...
    Wed Sep 04 11:49:45 CEST 2013 : Checking node configuration...
    Wed Sep 04 11:49:45 CEST 2013 : Enable MNT
    Wed Sep 04 11:49:45 CEST 2013 : Enable PAP
    Wed Sep 04 11:49:45 CEST 2013 : Disable PDP PROFILER SESSION
    Wed Sep 04 11:49:45 CEST 2013 : Current/new node role status is PRIMARY PRIMARY
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig for standby MNT node exists: gvecsl0001ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0002ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0002ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 11ffc710-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0002ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0002ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : unknown
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : ACTIVE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PAP MNT
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 11ffc712-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 11ffc713-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 11ffc711-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.71.142.10
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 11ffc714-ee17-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com is an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com has HA status ACTIVE
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0002ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig for active MNT node exists: gvecsl0002ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0003ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0003ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : c532d1c0-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0003ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0003ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : c532d1c4-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : c532d1c3-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : c532d1c1-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : 10.71.142.2
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : c532d1c2-0671-11e3-b3d7-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0003ise.emea.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0003ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0004ise
    Wed Sep 04 11:49:45 CEST 2013 :   DisplayName     : gvecsl0004ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostId          : 86fe3b20-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :   HostName        : gvecsl0004ise
    Wed Sep 04 11:49:45 CEST 2013 :   HostAlias       : gvecsl0004ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 :   CreateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   UpdateTime      : null
    Wed Sep 04 11:49:45 CEST 2013 :   NodeServiceType : SESSION
    Wed Sep 04 11:49:45 CEST 2013 :   MasterStatus    : NONE
    Wed Sep 04 11:49:45 CEST 2013 :   NodeTypes       : PDP
    Wed Sep 04 11:49:45 CEST 2013 :   NodeRoleStatus  : SECONDARY
    Wed Sep 04 11:49:45 CEST 2013 :   NICInterfaces   :
    Wed Sep 04 11:49:45 CEST 2013 :     0 Id          : 86fe3b21-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     0 IPAddress   : 10.71.142.3
    Wed Sep 04 11:49:45 CEST 2013 :     0 SubNetMask  : 255.255.255.0
    Wed Sep 04 11:49:45 CEST 2013 :     0 NicCards    : eth0
    Wed Sep 04 11:49:45 CEST 2013 :     1 Id          : 86fe3b24-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     1 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     1 NicCards    : eth3
    Wed Sep 04 11:49:45 CEST 2013 :     2 Id          : 86fe3b23-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     2 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     2 NicCards    : eth2
    Wed Sep 04 11:49:45 CEST 2013 :     3 Id          : 86fe3b22-f53b-11e2-a024-6cae8b66e764
    Wed Sep 04 11:49:45 CEST 2013 :     3 IPAddress   : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 SubNetMask  : null
    Wed Sep 04 11:49:45 CEST 2013 :     3 NicCards    : eth1
    Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
    Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0004ise.emea.givaudan.com is not an MNT node
    Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0004ise.emea.givaudan.com
    Wed Sep 04 11:49:45 CEST 2013 : Node configuration has not changed - nothing updated
    Wed Sep 04 11:49:45 CEST 2013 : Poller sleeping...

  • Data guard setup for 2 node RAC primary to 2 node RAC standby

    Hi All,
    I am going to setup data guard for 2 node RAC primary to 2 node RAC standby on Oracle 10.2.0.4. in AIX5L.
    Can you please provide the document on the above setup which is having all the steps (details).
    Also, the documents on different scenarios like
    1) If one node of standby goes down, how the redo logs will be applied. IS there any problem?
    2) If both nodes of standby are failed, how to reciver them?
    3) If one node of primary fails, is there any issue?
    4) If two nodes of primary fails, is there any issue?
    Thanks in advance,
    Mahi

    Have a look at the following location, you may find some similar documents:
    http://www.oracle.com/technology/deploy/availability/htdocs/maa.htm
    By
    http://www.oraxperts.com

  • ISE 1.1.1 to ISE 1.2 upgrade path for ISE node

    Hi,
    Currently in ISE deployment , we have  2 ISE nodes with 1.1.1.268 version  with latest patch,
    ISE nodes hold following  personas
    Node1 :  Admin, Monitoring ,  PSN
    Node 2 : PSN
    How will above deplyoment should be upgrade to 1.2 ?
    In which order they should be upgraded  ?   Any supporting doc covering above deployment for ISE 1.2 upgrade .

    Kindly check the following links for references
                   http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.pdf
                   http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.pdf
                   https://www.cisco.com/en/US/docs/security/ise/1.2/open_source_license/Cisco_Identity_Services_Engine_1.2_Open_Source_Documentation.pdf

  • [Basic administration]Primary Administrator role

    Hi guys !!!
    I am learning how to use SMC - Solaris Management Console. I created a role with the follow privilege : primary administrator.
    I created this role because i read that this role has the "same" access of a root.
    But when i want to start the smc in the command line i got ? smc : cannot execute
    I thought with primary administrator i could execute any commands !!! Am i wrong !?? Can i log with root and on SMC use my primary administrator account ?
    Thanks a lot !!!
    Levi

    Hello,
    Change to the shell pfsh and try.
    -bash-3.00# pfsh
    Thanks,
    sal.

  • Simple ssh forward administratively prohibited: open failed

    I'm trying to use ssh -L on a solaris 10 command line, as follows:
    ssh -v -L 1521:dbmachine:1521 login@solaris10machine
    This connects to solaris10machine using password authentication and indicates the following (where I've replaced the dbmachine address with <dbmachine>):
    debug1: Authentication succeeded (keyboard-interactive)
    debug1: Connections to local port 1521 forwarded to remote address <dbmachine>:1521
    debug1: Local forwarding listening on ::1 port 1521.
    bind: Cannot assign requested address
    debug1: Local forwarding listening on 127.0.0.1 port 1521.
    Then, when trying to access 127.0.0.1 port 1521, I get the following:
    debug1: Connection to port 1521 forwarding to <dbmachine> port 1521 requested.
    debug1: fd 9 setting TCP_NODELAY
    debug1: channel 2: new [direct-tcpip]
    channel 2: open failed: administratively prohibited: open failed
    debug1: channel_free: channel 2: direct-tcpip: listening port 1521 for <dbmachine> port 1521, connect from 127.0.0.1 port 63130, nchannels 3
    It seems to me that this can't be a problem on the dbmachine (since it is quite happy to receive connections on port 1521). So the problem must be due to a problem on my local solaris 10 machine or the one I'm connecting to. I've read the man files for ssh and ssh_config and can't see what I'm doing wrong. Some web articles talk about putting AllowTcpForwards in ssh_config, but that isn't even documented in the man files, so it must refer to some other version of ssh than the one in Solaris 10. Can anyone help?

    Oops. I found the sshd_config file, and it had AllowTcpForwarding turned off. Setting it to "yes" fixed the problem.

  • Change Primary Administrator for Cloud Team

    How can I change the primary administrator under the Admin Tools in the Cloud Team portal?

    manage your team account http://forums.adobe.com/thread/1460939?tstart=0 may help

Maybe you are looking for

  • Requerying in WHEN-BUTTON-PRESSED

    Hi, I have two forms. I have a button that opens up modal form 2 from form 1 and passes some parameters. I allow the user to update something in form 2 (which has an effect on form 1). When user exits form 2, I want to requery the block in form 1 so

  • IPod touchscreen not working

    My ipod touchscreen is not responding - I cannot slide it on or off. When this first happened I tried to reset, and then when my computer failed to recognize it I did a restore. It is still not working. I have an appointment at the Genius Bar tomorro

  • Web server log not show byte transfer for php

    I added php module to iWS 6.0 it work fine but access log not show byte transfer information for php. How can I do?

  • Base Statiojn stops responding

    I have been having a problem for the last week. The extreme base station stops responding about every 10 minutes. The wireless signal stays up but I cannot connect to any other machines or the internet. Also the airport utility cannot locate the base

  • How to run a download?

    I'm not sure if any of you are familiar with Wolfenstein:ET but I've downloaded it and I'm not sure how to run it... I mean its been downloaded to the desktop and I've "installed" it but I can't seem to figure out how to run it... thanks Message was