Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1259
Views
4
Helpful
10
Replies

AD Connector had to be restarted. Server=isepsn1

Go to solution
adamscottmaster2013
Level 3
Level 3

‎05-19-2023 08:10 AM

I am running ISE 3.0 patch-3.  For the past two weeks, I see this message in ISE from one of my PSN nodes

AD Connector had to be restarted. Server=isepsn1

The tcpdump on the network showed that the rst package come from the Active Directory server at the exact time I see this message in ISE.  Is this an issue with ISE or ADs?  Thoughts?

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎05-19-2023 09:08 PM

Hi @adamscottmaster2013 ,

 please try to find a clue by "debugging" the ad_agent.log:

. GUI:

Administration > System > Logging > Debug Log Configuration > select the PSN > Active Directory from Warn to Debug or Trace.

. CLI

ise/admin# show logging application ad_agent.log

 

Hope this helps !!!

View solution in original post

0 Helpful

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to ahollifield

‎05-25-2023 07:44 AM

@ahollifield:  Yes, my ISE 3.2 patch-2 does NOT have issue with joining Active Directory.  It joins just fine and I can also test the user.  However, when I attempted to create a wireless guest user with AD credential, I didn't see any communications between ISE and AD servers.  Yes, I have multiple tickets open with TAC on many issues regarding ISE 3.2, and they are very slow in responding so far.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
ahollifield
VIP
VIP

‎05-19-2023 08:30 AM - edited ‎05-19-2023 08:31 AM

I would probably install the latest patch for 3.0 before spending too much time troubleshooting.  Patch 3 is quite old at this point.

https://community.cisco.com/t5/network-access-control/ad-connector-had-to-be-restarted-server-isepsn1/td-p/4839138

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-0.html

 

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to ahollifield

‎05-19-2023 09:56 AM - edited ‎05-19-2023 09:58 AM

@ahollifield :  you sound like true Cisco TAC engineer with the "upgrade to the latest patch" comment instead of trying to figure out what the issue is, LOL....

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to adamscottmaster2013

‎05-19-2023 10:05 AM

lol they do have a point though.  Patch 3 was released July 27, 2021 so almost two full years ago.  That's an ancient time in software lifecycle with zero vulnerability or bug fixes.  Within that timeframe two new major releases of ISE have also been released.

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to ahollifield

‎05-19-2023 11:39 AM - edited ‎05-19-2023 11:39 AM

LOL...Yes, but ISE 3.2 is severely "broken" and not too many people are using it

You don't know if upgrading to the latest patch will fix the issue instead of investigating the actual issue and confirm whether the latest patch will fix it.  Not hoping the latest patch will fix it.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to adamscottmaster2013

‎05-19-2023 12:04 PM

Can you elaborate on "Severely broken"?  I know of several deployments running 3.2 Patch 1 expressly for the Azure AD integration for EAP-TLS authorization without issue.  

That's true I don't know that; I'm just offering a potential fix that might save time troubleshooting.  Its something that should be done anyways...

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to ahollifield

‎05-25-2023 04:46 AM

@ahollifield:  Severely broken as:  1- Integration with Active Directory doesn't work; 2- External authentication with radius server (the external radius is another Cisco ISE) does not work; 3- ssh stops working for no reason (tcpdump showed ssh requests get to the ISE server but no ssh reply).  I am sure there are other things that are not working but I am still stuck on item #1 and #2 because it is a show stopper for me so far.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to adamscottmaster2013

‎05-25-2023 05:50 AM

Interesting do you have TAC cases open for these?  I have several 3.2 deployments joined to on-prem AD without issue.  I haven't tested the external RADIUS sever configuration on 3.2 but I am curious on the the use-case for relaying to another ISE deployment.  Is this for a migration?

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to ahollifield

‎05-25-2023 07:44 AM

@ahollifield:  Yes, my ISE 3.2 patch-2 does NOT have issue with joining Active Directory.  It joins just fine and I can also test the user.  However, when I attempted to create a wireless guest user with AD credential, I didn't see any communications between ISE and AD servers.  Yes, I have multiple tickets open with TAC on many issues regarding ISE 3.2, and they are very slow in responding so far.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP

‎05-19-2023 09:08 PM

Hi @adamscottmaster2013 ,

 please try to find a clue by "debugging" the ad_agent.log:

. GUI:

Administration > System > Logging > Debug Log Configuration > select the PSN > Active Directory from Warn to Debug or Trace.

. CLI

ise/admin# show logging application ad_agent.log

 

Hope this helps !!!

0 Helpful

Go to solution
adamscottmaster2013
Level 3
Level 3

‎09-29-2023 02:25 PM

A colleague of mine opened a TAC case with Cisco for this exact issue and the TAC is not very helpful.  It looks like not even TAC is very knowledgable with this product.  Cisco's response:  please upgrade to patch-8.  

0 Helpful
Customers Also Viewed These Support Documents