Cisco AAA/Identity/Nac :: ISE 1.1.3.124 Secondary Node Not Reachable After Registration
Jun 1, 2013
I'm constantly seeing that the sync and replication status for my secondary admin/monitor node in the primary node as node not reachable. The secondary still thinks it is in standalone mode. When I run the ISE diag tool connectivity tests I am able successfully ping the devices from each other using both hostname and ip and the nslookup also works fine between both nodes. Ping and nslookups also work from different networks within the environment. The two nodes are in the same vlan on a 6500 vss pair but on different switches of the pair.
View 6 Replies
ADVERTISEMENT
Jun 5, 2013
I've just had to rebuild my ACS appliance with new hardrives but I am unable to register the devices to each I get a system error. I thought it may have had something to do with the rebuilt device not being joined tothe domain but it has now been joined albeit using a different ad account, but still cannot register to primary.
View 11 Replies
View Related
Mar 13, 2013
to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".How can I import the same certificate (with the same private key) in every PSN in a node group?
We have ISE 1.1.2
View 4 Replies
View Related
Oct 19, 2012
i'm stuck at registering inline posture node to primary node. I doing fresh install both ISE appliance using version 1.1.1, patched all 3 available patach version after install. AD and DNS were perfectly configure, ping using hostname able to resolve Everything set, so both PSN and iPEP generate CSR and ready to let CA server to signed. But anyway this is the outcome i get Error message "Unable to authenticate. please check server and CA certificate."
01. - What certificate template to be use primary node and inline posture node? I having problem the CA certsrv won't show computer template for inline posture node. can i use web server template and on the extension include client autthenticaiton andserver authentication on this case?
- What certficate template use for primay node CSR?
02. According to Cisco ISE user guide 1.1.1, it mentioned "Creating certificate trust list in Primary ISE Node"
So first action is importing Root and CA certificate . my rootCA.cer import to certification operation certifcate store, while CSR generated then Bind CA certificate. question, should i check anything like "Tust for client authentication" checkbox or any other option to be check? How about Inline Posture node, should i export the CA certificate and import to primary node's certificate store?
View 3 Replies
View Related
Oct 17, 2012
I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.For the preparation on line posture node, what shoud i do on it?
01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?
02. Before i regieter, what is the deployment nodes i should select for inline posture node unit? provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.
View 10 Replies
View Related
Aug 26, 2012
i have planned a deployment with one acs in Europe working as primary, one acs in europe as secondary and one acs in USA as secondary also.
I can add one acs in europe to the deployment as secondary. When I try to add the acs in USA to the deployment - Nothing really works.
The status shown in the primary is offline (red) and status pending. It stays like this for hours. When I log in to the gui directly on the acs in USA, it still has status primary.
The two acs are transparently connected. There is WAN optimization (cisco waas) in between the two datacentres..
View 1 Replies
View Related
Apr 24, 2011
I have two ACS 5.2 working in redundancy Primary and Secondary my question in when my primary ACS goes down i can´t see the log in the secondary ACS. I read in the documentación that only one ACS can be configurated for working like logg collector server. Now I configurated my secondary ACS like logg collector server now when my Primary ACS goes down i can see the logg. Finally when my Secondary ACS goes down i can modified the ACS Primary Configution by show me the logg.. Is possible to do this automaticaly for show me the event logg ? when the ACS that is configurate like logg collector server goes down pass the event other ACS automatically..
View 3 Replies
View Related
Feb 28, 2013
We are using ACS 5.3 with two servers in a distributed solution.All logs are collected on primary server so when this server fails all logs are lost.How can I enable log on secondary server also?
View 2 Replies
View Related
Oct 23, 2012
We have 4 ACS 5.3 Servers connected as Primary and Secondary Servers.We use a "RSA SecurID Token Servers" External userdatabase for authentications and are able to sucessfully authenticate (vpn-)users when the requests are send from the primary ACS Server.As soon as a secondary ACS server sends the request to the RSA server the request fails. "Node verification failes"
On the RSA Authentication Manager 6.1 Server, we have created a Agent-host wich contains the 3 secondary nodes (FQDN and IP's). The "sdconf.rec" file has been installed on theprimary ACS Server and are automatically (so it looks like) replicated to all ACS Servers.Still none of the secondary server are able to authenticate the users agains the RSA server.
View 1 Replies
View Related
Nov 16, 2012
I am attemtping to install new ssl certs on our 5.3 cluster. I was able to generate the CSR on the Primary host. When I attempt to generate the csr on the secondary host, I receive the following error:
This System Failure occurred: Error while remotely calling Primary to create: com.cisco.nm.acs.im.certificate.CertificateRequest Object{ request=[B@144cead, privateKey=null, encryptedPrivateKeyPassword=[B@5ce155, certificateSubject=CN=xxxx.xxxxxx.net, keyLength=2048, digest=SHA1, timeStamp=null, friendlyName=null, guid=[B@1cd99ca, description=null, name=xxxx.xxxx.net, version=0, id=0}. Your changes have not been saved.Click OK to return to the list page.
Both hosts are running identical versions:
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.3.0.40
Internal Build ID : B.839
View 1 Replies
View Related
Jan 22, 2012
I have a question about the number of Cisco licenses needed in two cases for ACS 5.3 Virtual Machine.One primary + One secondary : Just one license for all or one license for the primary + another one for the secondary ?One primary + several secondaries : Just one license for all or one license for the primary + just one license for all the secondaries ?
View 1 Replies
View Related
May 29, 2013
My customer has an ACS 1121 version 5.4. Now we want to install a secondary ACS 1121.
View 2 Replies
View Related
Jun 16, 2011
it is possible de use two servers ACS 5.2 (primary and secondary) in active/ active? or just in active/ passive?
View 3 Replies
View Related
Dec 6, 2011
I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
This System Failure occurred: Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
I have tried with both "ACSAdmin" and "admin" users with their respective passwords.
View 3 Replies
View Related
Jun 11, 2012
Today I ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while I had the primary down. All was fine until I brought the primary back up and tried to re-register the secondary to it. I get the following error message: I went into System Administration >Operations >Distributed System Management on each and it showed the other device as deregestered, tried to promote from there but it failed too, so I deleted them and tried to register the secondary again. After that didn't work I tried rebooting both but that didn't work either. I know the user/pass I'm using is good and I've tried using both the IP address and the hostname.
ACS/admin# sh app version acs
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.5Internal Build ID : B.839Patches :5-3-0-40-5
View 3 Replies
View Related
Oct 3, 2012
I have a pair of ACS appliances running 5.1 code. The appliances are set up as a replicated pair. I have valid local and trusted certificate authority certificates on the primary.
The trusted certificate authority certificate gets replicated to the secondary. Obviously the local certificate doesn't get replicated. I need to generate a certificate signing request on the secondary but it doesn't seem to allow you to do it.
View 1 Replies
View Related
Apr 21, 2013
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
View 8 Replies
View Related
Aug 9, 2011
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload - apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance. Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
[code]....
View 1 Replies
View Related
Nov 2, 2011
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
View 2 Replies
View Related
Mar 28, 2013
I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
When the primary instance fails I can authenticate successfully using the secondary instance.However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
View 9 Replies
View Related
Mar 12, 2012
I am attempting to register QPM 4.1.5 into LMS 3.2.1 Portal, under Home Page Admin - Application Registration but It fails.It seems to be a bug where it puts the details in the wrong place when submitting the info.
This is the output that it tries to submit obviously - Description, host name, port number and protocol are mixed up.You have selected the following application to be imported from the remote server. [code]
I'm not sure where to find the Tomcat logs or how much use they would be.
View 1 Replies
View Related
Apr 8, 2013
I just bought 2 Cisco3750 X Switches, After I open the box, there are too many numbers lables on the switch.
1. Which number is for product registration ?
2. Can any give me the link for product registration ?
BTW, can explain to me what is PAK, is it come with the switch ? Where I can find it ? I can find serial number but I don't know how to use it and connect with PAK.
View 1 Replies
View Related
Nov 5, 2012
We have a SRP527W, we have created VLAN for DATA and VOICE remotly connected to an office by VPN.
VPN is working fine.
Now we want to register SIP lines integrated in SRP527W to a Cisco Call Manager located in our office.
The problem is that the source of SIP packets is WAN interface of the SRP527W, so packet wont pass in the VPN. Is possible to change the IP source of the SIP registration ? The most useful will be to set the IP source SIP on the voice VLAN.
View 2 Replies
View Related
Mar 5, 2013
We have Cisco WiSM modules on our 6500 switch. I tried to register a 1142 access point to the WiSM. Is there any difference in the way an AP registers and appears on the WiSM as compared to the Wireless Lan controller?
I could see the AP get an ip from dhcp pool ( configured on the switch ) and Ap was visible on the cdp neighbor of switch.
However, i could not locate the new AP on the WiSM module. Do i need to add MAC address to the WiSM as same as WLC.
View 7 Replies
View Related
Sep 20, 2012
Our ESP traffic is passing through multiple nodes and we can not establish the tunnel. and I want to know which node blocked ESP traffic. How to trace which node blocked ESP traffic ?
View 5 Replies
View Related
Oct 11, 2011
I am having issues registering Cisco 3502 APs with a WLC 5508. They initially register and then disassociate with the controller and fail to re-register. Is it possible to telnet to AP and factory rest the AP. I get connection refused when I try
View 1 Replies
View Related
Mar 7, 2012
I'm trying to NAT SIP registration from OUTSIDE interface to Inside interface on ASA
View 1 Replies
View Related
Jul 21, 2012
I ordered controller 2504 and will arrive soon. I want to know that after configure the initial setup of 2504 (i.e. AP manager , Management IPs etc) and defining the DHCP for AP. Will the 1042 lightweight AP will register with the controller automatically or i need to manually define the AP (MAC address) on WLC. and also whether the Option 43 and 60 are correctly defined?
Management Interface: 10.10.22.15
AP Manager Int: 10.10.22.16
ip dhcp pool WLAN103
network 10.10.3.0 255.255.255.0
[code]...
View 4 Replies
View Related
Mar 12, 2013
I am facing the following problem. SmartPhone is connected WiFi hotspot. Suppose SmartPhone ip is 10.0.2.2 and hotspot ip is 10.140.13.12. I am able to send data from smartphone to a server(over internet) which has static ip and sender details in server are hotspot ip. Problem is sending data from server back to smartphone. Tried sending to 10.0.2.2(smartphone) from server but packets are not received.
View 3 Replies
View Related
Dec 26, 2012
I am able to ping the node but when i try to access the systm using backslash i am uable to access it and an error of host inaccessible.
View 1 Replies
View Related
Jul 11, 2012
I have 3 WRV200 that I want to install in 3 cities.I want each router to have its own Internet connection from the local ISP.I then want each router to connect to the other 2 routers and create a 3 node WAN using VPN connections.
View 1 Replies
View Related
Oct 25, 2012
I have several locations with time clocks (a Kronos application) on a small home network with outgoing traffic wide open.I have a server in my office behind an ASA5505 router/firewall, also with outging traffic wide open. I have tried taking the device off of the remote network and giving the it a public, static ip address so it is actually on the internet, yet the server cannot see the device, but it can ping it. I was advised to put the device on the remote private network and set up a virtual server using port 8080 at the remote location. The server is still unable to see the device. I also set up a virtual server for VNC. When I am on my server on my work network behind the ASA5505, I can start my VNC viewer and attach to the device at the remote site using the IP of the router (apparently the device has a build in VNC server).
I have also tried to NAT my server to a public IP, I have set up incoming and outgoing rules on the firewalls at both ends.this should be a fairly straight forward connection.
View 7 Replies
View Related
Feb 7, 2012
I have a wap4410n. It was performing poorly. Only letting some computers on the wireless while not letting other. I was able to login into the device and I went through each of the settings pages to see if there was anything set wrong. I soon found there was a firmware upgrade available.
So over a wired connection I started the firmware upgrade after waiting 10+ minutes I was unable to reach the device and the web page said it was waiting for the ip address of the device. So I rebooted the device.
I can not ping the device. I can not see it on any subnet. I have tried the reset button multiple times.
The ethernet and power lights are on.
View 2 Replies
View Related
