What is the time period for a domain to remain blacklisted in ISE 2.1?

bricrock · ‎06-30-2017

I saw another thread on this, marked as answered, but there was no detail on exactly how long ISE waits before trying to reconnect with a blacklisted DC.

Customer scenario: DC1 patched in the middle of the day and is unavailable. ISE fails over to use DC2. Authentications continue to work, as expected. Server team patches DC2, rendering it unavailable, and authentications break. DC1 is online but apparently in some sort of blacklist as authentications started working again "some time later" (longer than 30 minutes).

We should have some detailed documentation on how the AD Connector works in these scenarios relative to marking a DC as "down" and how long until it's marked "up" again. Reading TAC case notes makes it seem like it should be fairly quick (5 seconds to 5 minutes), but observed behavior was much longer. I also came across other information that seems to indicate it might be closer to two hours (depending on when the next domain trust operation happens).

Please advise.

Thank you,

Brian

Jason Kunst · ‎06-30-2017

Did you check cisco live all about AD by Chris Murray the architect?

https://www.ciscolive.com/online/connect/speakerDetail.ww?PERSON_ID=17CE399413B917847EA70AE9590905FC&tclass=popup

Sent from my iPhone

kthiruve · ‎06-30-2017

Few things to remember….

Please make sure the forward DNS and reverse DNS lookup works in the environment.

Also in the DC, please ensure AD sites are configured are configured properly.

AD connector queries DNS SRV records, the entire process uses DC closest to the client site based on the response sent from DC.

Cisco ISE also provides the ability to define a list of preferred DCs per domain also.

Thanks

Krishnan