Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
4
Helpful
9
Replies

ISE Mail Delivery is not working on 2 nodes, if one node is shut down

mgollob
Level 1
Level 1

‎02-12-2024 06:07 AM

Hello,
I am in the process of implementing an ISE Guest solution. I have 2 nodes for redundancy reasons. I send the approval and the credentials for the guests via mail.
I have 2 questions about this. If I shut down my primary node so that the backup node takes over, then the e-mail delivery no longer works. However, I can still access guests and the sponsor portal without any problems. Is there anything else to configure in the SNMP settings? If I go to the backup node and the primary node is still active and trigger the registration via the backup node, then the e-mail delivery works.

The other question would be, since I have two sponsor portals, because there are two ISE nodes and they have different IP addresses, I wanted to ask how I can make it so that the FQDN of the sponsor portal was always sent in the mail, on which ISE the self-registration was carried out? So for example guest registers on guestise01.example.com, then the link of the sponsor portal of sponsor.guestiese01.example.com should be sent in the approval mail. If the guest registers at guestise02.example.com, then the link of the sponsor portal sponsor.guestise02.example.com should be sent in the mail. I hope you know what I mean.

Labels:
0 Helpful
9 Replies 9

ahollifield
VIP
VIP

‎02-12-2024 11:10 AM

Are you promoting the secondary node to Primary Admin Node?  Or just shutting it down?  An active PAN is required for guest registration (this would include the guest email AFAIK).  Also note the limitations on a two node deployment when it comes to promoting secondary admin node to primary.  You may wish to consider a three node deployment or a medium deployment. https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Why do you have two sponsor portals?  You should only have one.  Use a DNS entry like sponsor.example.com that resolves to both PSN IPs.

mgollob
Level 1
Level 1
In response to ahollifield

‎02-13-2024 03:49 AM

No, I do not promote the second instance as primary. The guest network should be set up redundantly. There is one ISE at each of the different locations. These ISE instances are in one deployment. Both IP addresses are entered as radius servers on the WLC. If I switch off an ISE instance, I am also redirected to the correct self-registration portal. That works so far. The guest can also register here and the request can be recognized and approved in the sponsor portal. I can't say whether I can then connect to the network when I click on approve in the sponsor portal and then get the credentials, I haven't tested it yet, but I think I can. The problem I have here is that no approval mails are sent out when a node goes down. According to your link, the guest access can also be found on the PSN and not on the PAN. I would just like to have redundancy in case an instance goes down, so that everything still works normally for the user.

I have two sponsor portals due to redundancy. I know that the portal runs on both instances. However, the problem is that several IPs can be assigned in the DNS, but these are processed in a round-robin procedure. In other words, if one instance fails, the DNS server usually doesn't notice because it has no health checks and could then forward the traffic to the wrong IP. For this reason, there are two portals. One points with the IP to one ISE and the other with the IP to the other ISE.

 

0 Helpful

Rich R
VIP
VIP
In response to mgollob

‎02-18-2024 02:34 AM

the problem is that several IPs can be assigned in the DNS, but these are processed in a round-robin procedure
Yes it's not ideal but clients handle this kind of setup all the time.  It'll take a short while to timeout the request if it selects the dead IP first but then it will switch to the second IP.  Hopefully failed ISE will not be a common occurrence!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

mgollob
Level 1
Level 1
In response to ahollifield

‎02-14-2024 12:08 AM

I also found an Answer describing, that the sponsor and guest notification will be send through the PSN. 

(https://community.cisco.com/t5/network-access-control/cisco-smtp-messages-sent-from-which-node/td-p/2902139)

mgollob_0-1707897979985.png

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to mgollob

‎02-14-2024 01:28 PM

I suspect this point is moot considering, as @ahollifield also stated, there are various Guest-related functions that are not available when the Primary PAN is down. See the list of functions here - https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_deployment.html#ID59

Among others, it specifically states that creation of New Guest accounts in not available when the Primary PAN is down.

I would suggest promoting the Secondary PAN to Primary and testing the Guest creation and email notification, as that is how the solution is intended to work.

mgollob
Level 1
Level 1
In response to Greg Gibbs

‎02-14-2024 11:03 PM

yes, if I promote the second node as primary, it works. Is there no way to do this automatically? It is not possible to install a third node. This is not a redundancy for me if I still have to intervene manually?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to mgollob

‎02-15-2024 01:55 AM

I don't believe it is possible to activate the auto-failover with a two nodes deployment.

ahollifield
VIP
VIP
In response to mgollob

‎02-15-2024 05:09 AM - edited ‎02-15-2024 05:27 AM

You can enable PAN auto failover here (once you add a 3rd node).  Just note though, that services will restart on BOTH admin nodes when you do this so there will be a period in which ISE guest registrations and email notifications will be completely down.  This is why I always recommend a three node deployment (an additional PSN) or a Medium Deployment at minimum.  

mgollob
Level 1
Level 1

‎02-15-2024 01:58 AM

Is it possible for me to script it? Can I promote via the CLI or can I do it via the API?

0 Helpful
Customers Also Viewed These Support Documents