Primary administration ISE nodes failed
Hi All,
I'm going to implement 3 ISE with destributed deployment, 1 ISE will configured as Administration & Monitoring node, and the others as dedicated Policy Service node.
My questions are :
1. If the Administration & monitoring node failed, are the authentication, authorization and posture still can be running well on the client ?
2. Can we promote the dedicated Policy Service Node as the new administration & monitoring nodes ? If can, how the procedure for promoting it? it's just as simple as promoting the secondary nodes (in case we have primary and secondary nodes) or there is others effort, such as must restoring the database or etc?
Thanks?
Regards,
Rian
Hi,
When the primary administration node fails. The psns will still continue to function and enforce policies.
Since you have a single administration node and if the that node has to be rebuilt, all other nodes will also have to be reset to factory then re registered once the primary node is ready again.
In that case you can open a tac case yo have them assist in pulling your database from one of the psn nodes.
As always this is my observations and what I would do if I was in the situation, we can wait for a cisco engineer to respond or you can post this question in a tac case to make sure there isn't an upcoming feature which addresses this scenario.
Sent from Cisco Technical Support Android App
Similar Messages
-
ISE node registering after change domain-name
At Customer Site I changed the domain name of our 4 ISE server before they were registered to any deployment. I regenerated a self signed certificate and started to register the other nodes to the deployment. This went well for the 2 PSN nodes which have a ip address in a different subnet. I tried to register the presumed secondarry PAN/MnT node and got the following error message "
Node beiing registerd has FQDN 'ISE-PAN-AP02.office.intern' which cannot be resolved. Please check your DNS configuration."
My DNS config is in order.
Can anyone please tell me want possible can be the cause of this?Please check these Prerequisites:
The fully qualified domain name (FQDN) of the standalone node that you are going to register, for example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes that are part of your distributed deployment in the DNS server.
•The primary Administration ISE node and the standalone node that you are about to register as a secondary node should be running the same version of Cisco ISE.
•Node registration fails if you provide the default credentials (username: admin, password: cisco) while registering a secondary node. Before you register a standalone node, you must log into its administrative user interface and change the default password (cisco).
•You can alternatively create an administrator account on the node that is to be registered and use those credentials for registering that node. Every ISE administrator account is assigned one or more administrative roles. To register and configure a secondary node, you must have one of the following roles assigned: Super Admin, System Admin, or RBAC Admin. See Cisco ISE Admin Group Roles and Responsibilities for more information on the various administrative roles and the privileges associated with each of them.
•If you plan to register a secondary Administration ISE node for high availability, we recommend that you register the secondary Administration ISE node with the primary first before you register other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
•If you plan to register multiple Policy Service ISE nodes running Session services and you require mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group. You must create the node group first before you register the nodes because you need to select the node group to be used on the registration page. See "Creating, Editing, and Deleting Node Groups" section for more information.
•Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the standalone node (that you are going to register as the secondary node). See the "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information.
•After registering your secondary node to the primary node, if you change the HTTPS certificate on the registered secondary node, you must obtain appropriate CA certificates that can be used to validate the secondary node's HTTPS certificate and import it to the CTL of the primary node. See "Creating Certificate Trust Lists in the Primary Cisco ISE Node" section on page 12-24 for more information. -
Getting Error while registering ISE Node
Hi All,
I am getting below error.
Communication failure with the host 162.12.95.167. Please check the information for the target machine, or if the target machine is accessible and try again.
I am Able to ping as well from primary node
Output of ping:
PING 162.12.95.167 (162.12.95.167) 56(84) bytes of data.
64 bytes from 162.12.95.167: icmp_seq=1 ttl=58 time=1.02 ms
64 bytes from 162.12.95.167: icmp_seq=2 ttl=58 time=1.05 ms
64 bytes from 162.12.95.167: icmp_seq=3 ttl=58 time=1.05 ms
64 bytes from 162.12.95.167: icmp_seq=4 ttl=58 time=0.955 ms
64 bytes from 162.12.95.167: icmp_seq=5 ttl=58 time=1.02 ms
--- 162.12.95.167 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.955/1.019/1.051/0.053 msHello Sachin-
Couple of questions:
1. Is there a firewall between the two nodes that you are trying to cluster? If yes, then have you confirmed that all of the necessary ports and protocols are opened between them?
2. What version of ISE are you using
3. Can you confirm that both devices are added in DNS and that both devices can ping each other via their FQDNs
On a side note here are the prerequisites for clustering nodes:
• The fully qualified domain name (FQDN) of the standalone node that you are going to register, for
example, ise1.cisco.com must be DNS-resolvable from the primary Administration ISE node.
Otherwise, node registration will fail. You must enter the IP addresses and FQDNs of the ISE nodes
that are part of your distributed deployment in the DNS server.
• The primary Administration ISE node and the standalone node that you are about to register as a
secondary node should be running the same version of Cisco ISE.
• You must configure the Cisco ISE Admin password at the time you install the Cisco ISE. The
previous Cisco ISE Admin default login credentials (admin/cisco) are no longer valid.
• Use the username/password that was created during the initial Setup or the current password, if it
was changed later.
• The DB passwords of the primary and secondary nodes should be the same. If these passwords are
set to be different during node installation, you can modify them using the following commands:
– application reset-passwd ise internal-database-admin
– application reset-passwd ise internal-database-user
• You can alternatively create an administrator account on the node that is to be registered and use
those credentials for registering that node. Every ISE administrator account is assigned one or more
administrative roles. To register and configure a secondary node, you must have either the Super
Admin or System Admin role assigned. See Cisco ISE Admin Group Roles and Responsibilities for
more information on the various administrative roles and the privileges associated with each of
them.
• If you plan to register a secondary Administration ISE node for high availability, we recommend
that you register the secondary Administration ISE node with the primary first before you register
other Cisco ISE nodes. If Cisco ISE nodes are registered in this sequence, you do not have to restart
the secondary ISE nodes after you promote the secondary Administration ISE node as your primary.
• If you plan to register multiple Policy Service ISE nodes running Session services and you require
mutual failover among those nodes, you must place the Policy Service ISE nodes in a node group.
You must create the node group first before you register the nodes because you must select the node
group to be used on the registration page.
“Creating, Editing, and Deleting Node Groups”
section on page 9-21 for more information.
• Ensure that the Certificate Trust List (CTL) of the primary node is populated with the appropriate
Certificate Authority (CA) certificates that can be used to validate the HTTPS certificate of the
standalone node (that you are going to register as the secondary node).
Thank you for rating! -
ISE admin , PSN and monitoring node fail-over and fall back scenario
Hi Experts,
I have question about ISE failover .
I have two ISE appliaces in two different location . I am trying to understand the fail-over scenario and fall-back scenario
I have gone through document as well however still not clear.
my Primary ISE server would have primary admin role , primary monitoring node and secondary ISE would have secondary admin and secondary monitoring role .
In case of primary ISE appliance failure , I will have to login into secondary ISE node and make admin role as primary but how about if primary ISE comes back ? what would be scenario ?
during the primary failure will there any impact with users for authentication ? as far as PSN is available from secondary , it should work ...right ?
and what is the actual method to promote the secondary ISE admin node to primary ? do i have to even manually make monitoring node role changes ?
will i have to reboot the secondary ISE after promoting admin role to primary ?We have the same set up across an OTV link and have tested this scenario out multiple times. You don't have to do anything if communication is broken between the prim and secondary nodes. The secondary will automatically start authenticating devices that it is in contact with. If you promote the secondary to primary after the link is broke it will assume the primary role when the link is restored and force the former primary nodes to secondary.
-
Ise node not becoming standalone after deregistration
I am seeing a weird problem.
I deregistered secondary admin/monitor node from primary admin/monitor node. I see successfully deregistered message.
But the deregistered node is still showing SEC(A) and SEC(M). It is not changing to standalone mode.
This is disrupting the upgrade of distributed deployment of ISE nodes.
Any clues?Bug details:
Secondary node never becomes standalone after de-registration
The secondary node is de-registered successfully but a "The following deregistered nodes are not currently reachable: . Be sure to reset the configuration on these nodes manually, as they may not revert to Standalone on their own." message appears to the administrator.
Workaround Log in to the administrator user interface with internal Cisco ISE administrator credentials when de-registering a node.
Actually we had two accounts in web gui, nodes were registered using one account and during upgrade, i used different account , which triggered this bug. -
Best Practise for rebooting ISE Nodes?
Hello Community,
I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.
(Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)
I would shutdown ISE02, move it to our new VMWare environment and start it again.
Than I would do this with our ISE01 Node...
Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?
Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?
Any tasks after reboot?
Thank you for any answer!
ISE01
Administration, Monitoring, Policy Service
PRI(A), SEC(M)
ISE02
Administration, Monitoring, Policy Service
SEC(A), PRI(M)There is a lot to consider here. If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things. If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment. Then spin-up a new Secondary node and register it on the Primary. Once this is done, you can re-host the license from your old environment onto your new environment. You can use this tool to re-host:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999
If IP Addressing is to remain the same, it gets simpler.
First, and always, perform a configuration and operational backup.
If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes. Transfer them to the New Environment and turn them on, Primary Node first, of course.
If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment. Start the Secondary Node and when it is up, shut down the Primary Node. Once services on the primary node have stopped, promote the Secondary Node to Primary Node.
Transfer the OLD Primary Node to the New Environment and turn it on. It should assume the role of Secondary Node. If it does not, assign that role through the GUI.
Remember, the correct way to shut down an ISE node is:
application stop ise
halt
By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
Error while registering ISE node
Getting this error while trying to register a newly built standalone VM node on primary admin node.
'admin' is not authorized to register ISE Node <node name>. Please check the credentials and/or privileges.
admin is the only account on the newly built VM node and admin has full privileges on primary admin node as well. I have done the registering process before as well and this is the first time I have seen this error... Any thoughts?Hello Kashish,
Though I assume its been almost a week's time and you might have solved this by now, but it may help others facing similar problem
When a node is registered with the primary, the primary node would connect with the node to be registered and the primary node itself needs to authenticate against that node which is to be registered.
You need to specify the Admin user password of the ISE node that you want to register. Make sure by logging on to the Web UI of the ISE node you want to register that you have the admin user password. Otherwise you should create / reset admin user for web UI of the node to be registered.
Regards,
Ashok -
ISE Node Failure & Pre-Auth ACL
Hi All,
I would like to know that, what should be the best practice configuration for following points,
1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.
2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?
Here is the port configuration and pre-auth ACL which I am using in my network,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks & Regards,
MujeebHi,
I am using following configuration on the ports,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?
authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks -
Hello,
I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)
Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?
Best regards,
KresoHi Mohammed,
as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.
Try exporting the root CA certificate (not the one issued to the ISE node by the CA, but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.
You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:
# openssl x509 -in cert1.pem -inform DER -text
unable to load certificate
following some ASN error messages. To convert it use the following command:
openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem
Now you can read cert data using the command:
openssl x509 -inform pem -in cert2.pem -noout -text
The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.
HTH,
Kreso -
What is up with No Response from ISE Node ??
Even though it sounds like the PSN node can't communicate with AD, it does authenticate and retrieving Groups, and attrbitues.
How can I fix this ?
why is it saying 'No Response from ISE Node ?Hi,
Communication is fine between all ISE nodes, replications is COMPLETE for all nodes.
I am running 1.1.4.218 with Patch 4 on all servers.
I have 4 servers in my 8 servers-deployment that are in that strange AD status.
The command "show logging application ise tail" does not show bad things. The DisplayName is always equal to the HostName which is the same as the HostAlias (with the domain name). Please see below.é
Any ideas ?
David
Wed Sep 04 11:49:44 CEST 2013 : Poller wakeup...
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gcncsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gcncsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : 9cec53f0-151f-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gcncsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gcncsl0001ise.na.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : SESSION
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : NONE
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PDP
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : SECONDARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : 9cec53f3-151f-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : 9cec53f2-151f-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : 9cec53f1-151f-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : 10.97.32.223
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : 255.255.255.0
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : 9cec53f4-151f-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gcncsl0001ise.na.givaudan.com is not an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gcncsl0001ise.na.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gjucsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gjucsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : 346a29c0-1177-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gjucsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gjucsl0001ise.ap.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : SESSION
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : NONE
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PDP
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : SECONDARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : 346a29c1-1177-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : 10.32.67.223
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : 255.255.254.0
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : 346a29c2-1177-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : 346a29c3-1177-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : 346a29c4-1177-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gjucsl0001ise.ap.givaudan.com is not an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gjucsl0001ise.ap.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gmicsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gmicsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : af067300-10b4-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gmicsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gmicsl0001ise.na.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : SESSION
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : NONE
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PDP
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : SECONDARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : af067304-10b4-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : af067302-10b4-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : af067301-10b4-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : 10.96.67.223
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : 255.255.252.0
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : af067303-10b4-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gmicsl0001ise.na.givaudan.com is not an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gmicsl0001ise.na.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gsrcsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gsrcsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : 305e3f30-147c-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gsrcsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gsrcsl0001ise.ap.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : SESSION
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : NONE
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PDP
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : SECONDARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : 305e3f31-147c-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : 10.32.128.223
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : 255.255.255.0
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : 305e3f32-147c-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : 305e3f34-147c-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : 305e3f33-147c-11e3-86da-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gsrcsl0001ise.ap.givaudan.com is not an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gsrcsl0001ise.ap.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gvecsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : cf0e4260-b1a3-11e2-87c5-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gvecsl0001ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gvecsl0001ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : unknown
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : STANDBY
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PAP MNT
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : PRIMARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : cf0e4262-b1a3-11e2-87c5-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : cf0e4263-b1a3-11e2-87c5-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : cf0e4264-b1a3-11e2-87c5-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : cf0e4261-b1a3-11e2-87c5-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : 10.71.142.9
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : 255.255.255.0
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com is an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0001ise.emea.givaudan.com has HA status STANDBY
Wed Sep 04 11:49:45 CEST 2013 : Enabling propagation...
Wed Sep 04 11:49:45 CEST 2013 : Checking node configuration...
Wed Sep 04 11:49:45 CEST 2013 : Enable MNT
Wed Sep 04 11:49:45 CEST 2013 : Enable PAP
Wed Sep 04 11:49:45 CEST 2013 : Disable PDP PROFILER SESSION
Wed Sep 04 11:49:45 CEST 2013 : Current/new node role status is PRIMARY PRIMARY
Wed Sep 04 11:49:45 CEST 2013 : HostConfig for standby MNT node exists: gvecsl0001ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0002ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gvecsl0002ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : 11ffc710-ee17-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gvecsl0002ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gvecsl0002ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : unknown
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : ACTIVE
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PAP MNT
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : SECONDARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : 11ffc712-ee17-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : 11ffc713-ee17-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : 11ffc711-ee17-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : 10.71.142.10
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : 255.255.255.0
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : 11ffc714-ee17-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com is an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0002ise.emea.givaudan.com has HA status ACTIVE
Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0002ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig for active MNT node exists: gvecsl0002ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0003ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gvecsl0003ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : c532d1c0-0671-11e3-b3d7-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gvecsl0003ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gvecsl0003ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : SESSION
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : NONE
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PDP
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : SECONDARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : c532d1c4-0671-11e3-b3d7-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : c532d1c3-0671-11e3-b3d7-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : c532d1c1-0671-11e3-b3d7-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : 10.71.142.2
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : 255.255.255.0
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : c532d1c2-0671-11e3-b3d7-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0003ise.emea.givaudan.com is not an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0003ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : HostConfig : gvecsl0004ise
Wed Sep 04 11:49:45 CEST 2013 : DisplayName : gvecsl0004ise
Wed Sep 04 11:49:45 CEST 2013 : HostId : 86fe3b20-f53b-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : HostName : gvecsl0004ise
Wed Sep 04 11:49:45 CEST 2013 : HostAlias : gvecsl0004ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : CreateTime : null
Wed Sep 04 11:49:45 CEST 2013 : UpdateTime : null
Wed Sep 04 11:49:45 CEST 2013 : NodeServiceType : SESSION
Wed Sep 04 11:49:45 CEST 2013 : MasterStatus : NONE
Wed Sep 04 11:49:45 CEST 2013 : NodeTypes : PDP
Wed Sep 04 11:49:45 CEST 2013 : NodeRoleStatus : SECONDARY
Wed Sep 04 11:49:45 CEST 2013 : NICInterfaces :
Wed Sep 04 11:49:45 CEST 2013 : 0 Id : 86fe3b21-f53b-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 0 IPAddress : 10.71.142.3
Wed Sep 04 11:49:45 CEST 2013 : 0 SubNetMask : 255.255.255.0
Wed Sep 04 11:49:45 CEST 2013 : 0 NicCards : eth0
Wed Sep 04 11:49:45 CEST 2013 : 1 Id : 86fe3b24-f53b-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 1 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 1 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 1 NicCards : eth3
Wed Sep 04 11:49:45 CEST 2013 : 2 Id : 86fe3b23-f53b-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 2 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 2 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 2 NicCards : eth2
Wed Sep 04 11:49:45 CEST 2013 : 3 Id : 86fe3b22-f53b-11e2-a024-6cae8b66e764
Wed Sep 04 11:49:45 CEST 2013 : 3 IPAddress : null
Wed Sep 04 11:49:45 CEST 2013 : 3 SubNetMask : null
Wed Sep 04 11:49:45 CEST 2013 : 3 NicCards : eth1
Wed Sep 04 11:49:45 CEST 2013 : Checking HA status...
Wed Sep 04 11:49:45 CEST 2013 : Node gvecsl0004ise.emea.givaudan.com is not an MNT node
Wed Sep 04 11:49:45 CEST 2013 : Ignoring node configuration for host gvecsl0004ise.emea.givaudan.com
Wed Sep 04 11:49:45 CEST 2013 : Node configuration has not changed - nothing updated
Wed Sep 04 11:49:45 CEST 2013 : Poller sleeping... -
Data guard setup for 2 node RAC primary to 2 node RAC standby
Hi All,
I am going to setup data guard for 2 node RAC primary to 2 node RAC standby on Oracle 10.2.0.4. in AIX5L.
Can you please provide the document on the above setup which is having all the steps (details).
Also, the documents on different scenarios like
1) If one node of standby goes down, how the redo logs will be applied. IS there any problem?
2) If both nodes of standby are failed, how to reciver them?
3) If one node of primary fails, is there any issue?
4) If two nodes of primary fails, is there any issue?
Thanks in advance,
MahiHave a look at the following location, you may find some similar documents:
http://www.oracle.com/technology/deploy/availability/htdocs/maa.htm
By
http://www.oraxperts.com -
ISE 1.1.1 to ISE 1.2 upgrade path for ISE node
Hi,
Currently in ISE deployment , we have 2 ISE nodes with 1.1.1.268 version with latest patch,
ISE nodes hold following personas
Node1 : Admin, Monitoring , PSN
Node 2 : PSN
How will above deplyoment should be upgrade to 1.2 ?
In which order they should be upgraded ? Any supporting doc covering above deployment for ISE 1.2 upgrade .Kindly check the following links for references
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.pdf
http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.pdf
https://www.cisco.com/en/US/docs/security/ise/1.2/open_source_license/Cisco_Identity_Services_Engine_1.2_Open_Source_Documentation.pdf -
[Basic administration]Primary Administrator role
Hi guys !!!
I am learning how to use SMC - Solaris Management Console. I created a role with the follow privilege : primary administrator.
I created this role because i read that this role has the "same" access of a root.
But when i want to start the smc in the command line i got ? smc : cannot execute
I thought with primary administrator i could execute any commands !!! Am i wrong !?? Can i log with root and on SMC use my primary administrator account ?
Thanks a lot !!!
LeviHello,
Change to the shell pfsh and try.
-bash-3.00# pfsh
Thanks,
sal. -
Simple ssh forward administratively prohibited: open failed
I'm trying to use ssh -L on a solaris 10 command line, as follows:
ssh -v -L 1521:dbmachine:1521 login@solaris10machine
This connects to solaris10machine using password authentication and indicates the following (where I've replaced the dbmachine address with <dbmachine>):
debug1: Authentication succeeded (keyboard-interactive)
debug1: Connections to local port 1521 forwarded to remote address <dbmachine>:1521
debug1: Local forwarding listening on ::1 port 1521.
bind: Cannot assign requested address
debug1: Local forwarding listening on 127.0.0.1 port 1521.
Then, when trying to access 127.0.0.1 port 1521, I get the following:
debug1: Connection to port 1521 forwarding to <dbmachine> port 1521 requested.
debug1: fd 9 setting TCP_NODELAY
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
debug1: channel_free: channel 2: direct-tcpip: listening port 1521 for <dbmachine> port 1521, connect from 127.0.0.1 port 63130, nchannels 3
It seems to me that this can't be a problem on the dbmachine (since it is quite happy to receive connections on port 1521). So the problem must be due to a problem on my local solaris 10 machine or the one I'm connecting to. I've read the man files for ssh and ssh_config and can't see what I'm doing wrong. Some web articles talk about putting AllowTcpForwards in ssh_config, but that isn't even documented in the man files, so it must refer to some other version of ssh than the one in Solaris 10. Can anyone help?Oops. I found the sshd_config file, and it had AllowTcpForwarding turned off. Setting it to "yes" fixed the problem.
-
Change Primary Administrator for Cloud Team
How can I change the primary administrator under the Admin Tools in the Cloud Team portal?
manage your team account http://forums.adobe.com/thread/1460939?tstart=0 may help
Maybe you are looking for
-
Requerying in WHEN-BUTTON-PRESSED
Hi, I have two forms. I have a button that opens up modal form 2 from form 1 and passes some parameters. I allow the user to update something in form 2 (which has an effect on form 1). When user exits form 2, I want to requery the block in form 1 so
-
My ipod touchscreen is not responding - I cannot slide it on or off. When this first happened I tried to reset, and then when my computer failed to recognize it I did a restore. It is still not working. I have an appointment at the Genius Bar tomorro
-
Web server log not show byte transfer for php
I added php module to iWS 6.0 it work fine but access log not show byte transfer information for php. How can I do?
-
Base Statiojn stops responding
I have been having a problem for the last week. The extreme base station stops responding about every 10 minutes. The wireless signal stays up but I cannot connect to any other machines or the internet. Also the airport utility cannot locate the base
-
I'm not sure if any of you are familiar with Wolfenstein:ET but I've downloaded it and I'm not sure how to run it... I mean its been downloaded to the desktop and I've "installed" it but I can't seem to figure out how to run it... thanks Message was