cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2553
Views
0
Helpful
3
Replies

ISE adding Domain Controllers to black list

Arne Bier
VIP
VIP

Hello

I have joined my ISE 2.3p1 to an AD forest which has two way trust relationship with a bunch of other AD forests.

As you can see below I have selectively white listed a subset of these forests for my Authentication.  Two of those non-white listed domains (cap and devcap) are causing ISE to complain.

Q1: Why do I constantly see this stuff in the ISE CLI logs?  I didn't blacklist them, and I don't see this for any other domain that I haven't white listed either. What is the difference between blacklisting and simply not using them?

06/02/2018 06:16:13,WARNING,140182414153472,Added to black list: domain=devcap.******** DC=a04wndm31.devcap.******** addr=161.143.153.140 TTL=06:16:23 reason=Network,lwadvapi/threaded/dcmanager.cpp:269

06/02/2018 06:16:16,WARNING,140182414153472,Added to black list: domain=cap.******** DC=a04wpdm61.cap.******** addr=161.143.155.22 TTL=06:16:26 reason=Network,lwadvapi/threaded/dcmanager.cpp:269

This stuff is clogging my Splunk database and those guys charge by the MB

Q2: I don't see a value for the Forest column for those two domains.  Is that a problem for ISE?  All the other domains have a forest value displayed.

I ran Diagnostic Tool (all tests) and I got no errors at all.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

For the two domains showing no forest, it's probably due to ISE unable to discover such info through DNS and/or Global Catalog queries. As they are not used for authentications, it should have no impact without forest info.

View solution in original post

3 Replies 3

Nidhi
Cisco Employee
Cisco Employee

ISE will blacklist a domain controller if there is some network error so that ISE does not  use the bad DC and discovery is triggered to find a better DC.

apart from any network connectivity issue, it is also possible that the firewall is dropping the packets.

More troubleshooting is needed here to find the case of this. Would suggest to engage TAC to find the root cause of it.

I will be researching more for the 2nd question.

Thanks,

Nidhi

hslai
Cisco Employee
Cisco Employee

For the two domains showing no forest, it's probably due to ISE unable to discover such info through DNS and/or Global Catalog queries. As they are not used for authentications, it should have no impact without forest info.

Hello again

I am still seeing these SYSLOGs on a daily basis.  I have asked my customer about these two domains but no response yet.

The constant SYSLOG events that I am seeing are (and related to the two domains I don't care about)

  • INFO  AD-Connector: DC removed from black list
  • INFO AD-Connector: DC added to black list
  • ERROR AD-Connector: DC discovery failed

I have joined ISE to a domain controller that has many two-way trust relationships.

I whitelisted only those domains that I can access for authentication.

I did NOT whitelist these two domains that are causing me grief.  Yet it seems that ISE is going behind my back and trying to be overly clever.  The result is a constant stream of SYSLOGs to Splunk.  Why can't it simply ignore the domains that I explicitly didn't whitelist?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: