In fact, when the error didn’t occur, no one had an issue completing the self registration form and signing into the guest wireless. All APs were Flexconnect, but there was no issue with the redirect URL and actually getting the guest login page.
The platform was Cisco ISE 2.3 with no patches, and the wireless controller was an HA pair of Cisco 5508s. Bad Request,The request is invalid due to malformed syntax or invalid dataĪnd here’s what I did to troubleshoot and eventually fix it. It resulted in end-users seeing an intermittent but frequent error when they connected to the guest wireless getting the redirect URL to the guest portal page on Cisco Identity Services Engine 2.3. The splash page seemed to load fully, but there was always a small spinning circle in the center suggesting something on the page didn’t quite finish loading. Our topology is pretty simple, we have a two nodes deployment.I had to deal with an issue with a wireless network guest portal for a customer recently that had me and TAC stumped for a month. This command shows a whole lot of things, but I consider it pretty useful and I use it a lot. The old primary PAN will keep being the new secondary PAN in the deployment.Ī good CLI command you can use to keep an eye on the synch progress is show logging system ade/ADE.log tail. Which means if you promote manually the secondary PAN to become the primary, or if you have a deployment with three or more nodes and you have the auto failover enabled, when the old primary comes back online, ISE will not re-promote it to become the primary again. The other thing to remember is that with ISE failover in general there is no preemption. In that case, the closest to the primary PAN will monitor the primary PAN, and the closes to the secondary PAN will monitor the secondary PAN. However, we can also use two health checker nodes. When the primary PAN goes down, the health checker node will send a request to the secondary PAN to promote to the primary. The extra node will act as a health checker to the primary PAN. This extra node can be a PSN as an example. Two will be the two PANs, and one extra node. ISE auto failover requires at a minimum three nodes. But if any of those sessions happened to time out and needs to re-authenticate while the applications did not complete the restart, the authentication might fail.Ī couple of things to remember with ISE failover is that in an ISE two nodes deployment there is no possibility to run an auto failover. That is because those authenticated sessions have been already served by ISE nodes. However, the dot1x and MAB authenticated users or devices should not be affected by this operation. That is due to the application services restarting. During the promotion process any logged user to the management console will be kicked off. The whole operation might take up to 15 minutes based on what I have seen on different deployments so far. Also, the application services on both nodes are going to be restarted. When we promote the secondary PAN to be the primary, a whole synch between the two nodes will happen. So, to promote the secondary PAN to be the primary we need to log into the secondary PAN, and promote it manually from there. The process is pretty easy, the only thing is that there would not be a way to do this from the primary PAN.
#CISCO ISE 2.4 REPLACE NODE HOW TO#
In this post I will show you how to promote ISE secondary PAN to be the primary.
0 kommentar(er)
