Hi there!
I've been testing some ISE functionality and I ran into an issue where the ISE cannot join the AD domain if the later is placed in another switch where the ISE is located.
Both ISE and Microsoft AD are located in the same VLAN but across trunk link between the 2 switches. When they are connected to the same switch I can join/requester the ISE without issue but if they are connected to 2 different switches, the issue appears. I tested using the latest IOL L2 i86bi_LinuxL2-AdvEnterpriseK9-M_152_May_2018.bin
Anyone has any idea what might be wrong with the EvE or IOU image?
Thank you
ISE and AD accross Trunk links
Moderator: mike
-
Uldis (UD)
- Posts: 5080
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Re: ISE and AD accross Trunk links
Issue is your NTP server !!!
Make in lab one common NTP server for all devices, AD and ISE, and this will be sorted..
This IOL image is absolutely fine.
Just add some IOL router in topo in same vlan and make it as lab NTP server..
ISE and AD must have it as NTP source..
Uldis
Make in lab one common NTP server for all devices, AD and ISE, and this will be sorted..
This IOL image is absolutely fine.
Just add some IOL router in topo in same vlan and make it as lab NTP server..
ISE and AD must have it as NTP source..
Uldis
-
digital
- Posts: 5
- Joined: Fri Aug 25, 2017 12:33 pm
Re: ISE and AD accross Trunk links
Yes dear! 
I know that ISE and AD must have NTP and DNS correct config as a per-requistis before they can work.
My issue is as i described and if the issue was an NTP, it shouldn't work either if both ISE & AD sit the same switch!
Thank you for the help though
I know that ISE and AD must have NTP and DNS correct config as a per-requistis before they can work.
My issue is as i described and if the issue was an NTP, it shouldn't work either if both ISE & AD sit the same switch!
Thank you for the help though
-
Uldis (UD)
- Posts: 5080
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Re: ISE and AD accross Trunk links
It doesnt matter if your ISE and AD are on diff switches....
It works over all topology.. over trunks etc
It is proven and works
You can see in the lab below. AD is in other end of lab over trunks. I tested in diff vlans as well works fine.
Particular lab is using single management VLAN 101, over trunks..
For better logic I made SW2 as vlan 101 spanning-tree root SW.
In the lab used images
i86bi_LinuxL2-AdvEnterpriseK9-M_152_May_2018.bin as Switches
i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin as NTP and GW router
ISE 2.1
winserver 2016
Well it is your config issue then
It works over all topology.. over trunks etc
It is proven and works
You can see in the lab below. AD is in other end of lab over trunks. I tested in diff vlans as well works fine.
Particular lab is using single management VLAN 101, over trunks..
For better logic I made SW2 as vlan 101 spanning-tree root SW.
In the lab used images
i86bi_LinuxL2-AdvEnterpriseK9-M_152_May_2018.bin as Switches
i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin as NTP and GW router
ISE 2.1
winserver 2016
Well it is your config issue then
You do not have the required permissions to view the files attached to this post.
-
digital
- Posts: 5
- Joined: Fri Aug 25, 2017 12:33 pm
Re: ISE and AD accross Trunk links
Well, I really have no clue! I checked all of my config and verified the switching part, all looks good!
In the ISE error log i get this:
-------------------------------------------------------------------------------------
error name: ERROR_GEN_FAILURE
error code: 31
Connection to Domain.com was aborted due to general error: (empty)
-------------------------------------------------------------------------------------
My guess the packet gets corrupted for some reason.
Anyways, it's not a major thing because i can move the ISE to the same switch but i was just wondering what could be the issue of this!
Thank you for your help anyways, really appreciated!
In the ISE error log i get this:
-------------------------------------------------------------------------------------
error name: ERROR_GEN_FAILURE
error code: 31
Connection to Domain.com was aborted due to general error: (empty)
-------------------------------------------------------------------------------------
My guess the packet gets corrupted for some reason.
Anyways, it's not a major thing because i can move the ISE to the same switch but i was just wondering what could be the issue of this!
Thank you for your help anyways, really appreciated!
-
Uldis (UD)
- Posts: 5080
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Re: ISE and AD accross Trunk links
show me your ISE sh run config
It looks like domain, IP name server issues in ISE cfg
Uldis
It looks like domain, IP name server issues in ISE cfg
Uldis