Support for external DNS and NTP servers #12
Comments
|
Hi @bando483 - Thanks for reaching out, we are checking this and will get back to you |
|
Hi Alessio (@bando483), To debug this further could you please confirm below points - 1- Is the state machine execution successful? Please note when we use terraform script to deployment ISE cluster with New VPC, ISE nodes are deployed in Private subnet, where configuring private DNS reachability before deployment starts is not possible until we monitor terraform execution and update VPC/Private subnet to reach to private DNS, so even if terraform execution succeeds, deployment formation will fail. If we use these script to deploy ISE cluster in existing VPC then Deployment will be successful. (Provided right DNS/NTP are configured in ISE nodes, refer point#2) As of now till Cisco ISE release 3.3, multiple DNS/NTP in cloud is not supported, We have this feature coming up in Cisco ISE release 3.4 and accordingly terraform scripts and README will be updated to use the same. Thanks & Regards, |
|
Hi thank for the feedback on multiple DNS/NTP.. i'm gonna wait for next release. regarding the error, I confirm reachability of DNS is present but I noticed an issue on DNS entries, so I guess this is why the nodes have not been registered. could it be? by the wait, the state machine ended successfully even though the nodes are not registered and I guess this is a bug since I expected a failure of STate Machine regards |
|
Yes, you are right. If DNS entries are not correct as per ISE deployed ISE nodes, then ISE Deployment node registration will fail. however, if state machine executed shows success even after failed node registration, then it could be a possible bug. To confirm that could you please share state machine execution logs? Thanks & Regards, |
|
Hi
Sorry, but I have already destroyed the not working deployment.
Do you have any chance to test it on your side?
Regards
Alessio
From: Sudhanshu Sharma ***@***.***>
Sent: jeudi 25 juillet 2024 10:58
To: CiscoISE/ciscoise-terraform-automation-aws-nodes ***@***.***>
Cc: Bandini Alessio ***@***.***>; Mention ***@***.***>
Subject: Re: [CiscoISE/ciscoise-terraform-automation-aws-nodes] Support for external DNS and NTP servers (Issue #12)
CAUTION! This message was sent from OUTSIDE of the company.
Please do not provide any confidential information or click on any link and attachment unless you recognize the sender.
Yes, you are right. If DNS entries are not correct as per ISE deployed ISE nodes, then ISE Deployment node registration will fail.
however, if state machine executed shows success even after failed node registration, then it could be a possible bug. To confirm that could you please share state machine execution logs?
Thanks & Regards,
Sudhanshu
—
Reply to this email directly, view it on GitHub<#12 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASRQW2OSRV6MY7JZLXOZ2QLZOC4Y7AVCNFSM6AAAAABLDB3K3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBZHAZDGMBWGM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi
I deployed an infrastructure on Milan Region with 2 PAN/MTRs and 4 PSNs.
the deploy ended successfully via terraform and all the nodes can reach the DNS and NTP and can be pinged
The State Machine ended with this error; please see the screenshots below
***@***.***
***@***.***
Can you please support me?
Alessio
From: Sudhanshu Sharma ***@***.***>
Sent: lundi 22 juillet 2024 20:39
To: CiscoISE/ciscoise-terraform-automation-aws-nodes ***@***.***>
Cc: Bandini Alessio ***@***.***>; Mention ***@***.***>
Subject: Re: [CiscoISE/ciscoise-terraform-automation-aws-nodes] Support for external DNS and NTP servers (Issue #12)
CAUTION! This message was sent from OUTSIDE of the company.
Please do not provide any confidential information or click on any link and attachment unless you recognize the sender.
Hi Alessio ***@***.***<https://github.com/bando483>),
To debug this further could you please confirm below points -
1- Is the state machine execution successful?
2- If you have used your private DNS, could you please confirm if the same got configured during ISE installation? To check this you can execute show running-config in all ISE nodes and look for “ip name-server” and “ntp server“.
3- Please confirm is DNS is reachable from all ISE nodes and DNS has correct hosts entries as per installed ISE nodes with correct IPs and deployed ISE nodes are able to resolve other ISE nodes FQDN?
4- Could you please also share Primary Admin node Deployment page UI screen capture?
Please note when we use terraform script to deployment ISE cluster with New VPC, ISE nodes are deployed in Private subnet, where configuring private DNS reachability before deployment starts is not possible until we monitor terraform execution and update VPC/Private subnet to reach to private DNS, so even if terraform execution succeeds, deployment formation will fail.
If we use these script to deploy ISE cluster in existing VPC then Deployment will be successful. (Provided right DNS/NTP are configured in ISE nodes, refer point#2)
As of now till Cisco ISE release 3.3, multiple DNS/NTP in cloud is not supported, We have this feature coming up in Cisco ISE release 3.4 and accordingly terraform scripts and README will be updated to use the same.
Thanks & Regards,
Sudhanshu
—
Reply to this email directly, view it on GitHub<#12 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASRQW2IT7UF4IX4MSQ5MOKDZNVGS3AVCNFSM6AAAAABLDB3K3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBTGU4DGMRRGI>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
I do not see screen capture here Alessio(@bando483 ), Could you please help me with the cloudwatch logs for failed state to debug the issue. |
|
Update - I am able to reproduce the issue where Step Function work flow succeeds even if node registration fails. This is a bug in code , we will fix it by enhancing error Handling for register node state. |
|
Have you already fixed the bug and the code is already available? I would like to use more stable code in my production deploy.. expected for tomorrow end of day Italy time
Thanks
Inviato da iPhone
Il giorno 28 lug 2024, alle ore 10:42, Sudhanshu Sharma ***@***.***> ha scritto:
CAUTION! This message was sent from OUTSIDE of the company.
Please do not provide any confidential information or click on any link and attachment unless you recognize the sender.
Update - I am able to reproduce the issue where Step Function work flow succeeds even if node registration fails. This is a bug in code , we will fix it by enhancing error Handling for register node state.
—
Reply to this email directly, view it on GitHub<#12 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASRQW2LDHD4BN5LVP6RF74TZOSVGVAVCNFSM6AAAAABLDB3K3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TMOBZGY>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Fix is in progress, we will update once changes are merged. |
Is there an existing issue for this?
Description
Hi
I'm working with terraform /python scripts to deploy an full ISE environment but I have a private DNS and Domain controller server so I would like to not use Route53 but instead rely on my Active Directory. I have some questions for this:
1- if I comment / unuse the whole Route53 module is the deployment expected to work? Actually terraform deploy ended successfully and state machine function as well but PSN and Secondary Pan seems not registered to primary PAN.
2- I need to set 2 DNS server but the script foresees just to set a single primarynameserver; how can I set a second one?
3- same question for bullet 2, but regarding ntp server.
thanks
Alessio
New or Affected Resource(s)/Data Source(s)
NEW
Potential ISE Automation Configuration
The text was updated successfully, but these errors were encountered: