Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
6
Replies

ISE Sync issue after upgrade 3.2

craiglebutt
Level 4
Level 4

‎02-15-2024 05:45 AM

In the middle of a update from 2.7 to 3.2. Currently each has 1 PSN and 2 PAN
Currently running both in parallel due to an issue.


Built the new node, imported the backup from the 2.7, registered certificates configure as a PAN as well and tested authentication for devices. Added to more nodes as PSN.


We use iPSK alot, I put some device in to a delete endpoint group for housekeeping, added the extra PSN.
I moved some devices out of the to delete group in to the correct group. This was working, then loads of devices stopped authticating , the PAN had the device in correct endpoint group and the PSN was saying it was in the to delete so failing authentication.


Under deployment the signs are green, so carried out a manual update, this fixed the issue once, but then testing in a lab to make sure was all working, if was in a certain endpoint group and moved to another endpoint group I would have to manual sync, which causes the PSNs to reboot.

0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎02-15-2024 12:41 PM

What do you mean by "to delete"? 

0 Helpful

craiglebutt
Level 4
Level 4
In response to ahollifield

‎02-16-2024 09:15 AM

It is just a endpoint group I created to move the rubbish in to.

0 Helpful

ahollifield
VIP
VIP
In response to craiglebutt

‎02-16-2024 10:16 AM

For what exactly?  Why not just delete the rubbish?

0 Helpful

craiglebutt
Level 4
Level 4
In response to ahollifield

‎02-16-2024 03:13 PM

Missing the issue, what ever endpoint I use, and move a device, the sync is not working, the to delete was just a group,, have to do a manual sync which reboots the node, any changes again require a manual sync.

Luckily will have TAC call Monday now as will be in the same time zone

0 Helpful

ahollifield
VIP
VIP
In response to craiglebutt

‎02-19-2024 05:28 AM

This should never need to happen.  What is the network transport between the two nodes?  Any alarms in the deployment regarding replication or queue link alarms?

0 Helpful

craiglebutt
Level 4
Level 4
In response to ahollifield

‎02-21-2024 03:16 AM

Hi

TAC say The Context Visibility should be updated in real-time when changes are made to the session directory. It's possible the database has been out of sync for some time (even from a prior upgrade maybe?), have tried to resync, but didn't work, so have to rebuild node

0 Helpful
Customers Also Viewed These Support Documents