Page 1 of 1
ISE and AD accross Trunk links
Posted: Mon Jan 07, 2019 9:12 am
by digital
Hi there!
I've been testing some ISE functionality and I ran into an issue where the ISE cannot join the AD domain if the later is placed in another switch where the ISE is located.
Both ISE and Microsoft AD are located in the same VLAN but across trunk link between the 2 switches. When they are connected to the same switch I can join/requester the ISE without issue but if they are connected to 2 different switches, the issue appears. I tested using the latest IOL L2 i86bi_LinuxL2-AdvEnterpriseK9-M_152_May_2018.bin
Anyone has any idea what might be wrong with the EvE or IOU image?
Thank you
Re: ISE and AD accross Trunk links
Posted: Mon Jan 07, 2019 10:48 am
by Uldis (UD)
Issue is your NTP server !!!
Make in lab one common NTP server for all devices, AD and ISE, and this will be sorted..
This IOL image is absolutely fine.
Just add some IOL router in topo in same vlan and make it as lab NTP server..
ISE and AD must have it as NTP source..
Uldis
Re: ISE and AD accross Trunk links
Posted: Tue Jan 08, 2019 6:13 am
by digital
Yes dear!
I know that ISE and AD must have NTP and DNS correct config as a per-requistis before they can work.
My issue is as i described and if the issue was an NTP, it shouldn't work either if both ISE & AD sit the same switch!
Thank you for the help though
Re: ISE and AD accross Trunk links
Posted: Tue Jan 08, 2019 9:27 am
by Uldis (UD)
It doesnt matter if your ISE and AD are on diff switches....
It works over all topology.. over trunks etc
It is proven and works
You can see in the lab below. AD is in other end of lab over trunks. I tested in diff vlans as well works fine.
Particular lab is using single management VLAN 101, over trunks..
For better logic I made SW2 as vlan 101 spanning-tree root SW.
In the lab used images
i86bi_LinuxL2-AdvEnterpriseK9-M_152_May_2018.bin as Switches
i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018.bin as NTP and GW router
ISE 2.1
winserver 2016
Well it is your config issue then
Re: ISE and AD accross Trunk links
Posted: Wed Jan 09, 2019 2:45 am
by digital
Well, I really have no clue! I checked all of my config and verified the switching part, all looks good!
In the ISE error log i get this:
-------------------------------------------------------------------------------------
error name: ERROR_GEN_FAILURE
error code: 31
Connection to Domain.com was aborted due to general error: (empty)
-------------------------------------------------------------------------------------
My guess the packet gets corrupted for some reason.
Anyways, it's not a major thing because i can move the ISE to the same switch but i was just wondering what could be the issue of this!
Thank you for your help anyways, really appreciated!
Re: ISE and AD accross Trunk links
Posted: Wed Jan 09, 2019 9:09 am
by Uldis (UD)
show me your ISE sh run config
It looks like domain, IP name server issues in ISE cfg
Uldis