[Lesson Learned] Changing Name Server on Cisco ISE 1.2 Deployment
If you ever experience DNS resolution failure on Cisco ISE with Active Directory integration, it could lead to AD being disconnected, and every authentication against AD will be dropped (RADIUS Request Dropped).
Here are the captured image from the DNS resolution failed alarms:
We need to make sure that ISE can ping to DNS server and change the name server to that DNS.
It could be a little bit tricky as we need to remove the DNS 1 and (if any) DNS 2 before add the name server to the list. If we don’t do that first, our new name server ip address will be placed last in the list, which means ISE will query the first name server before reaching next name servers. We can add up to 3 DNS servers into ISE deployment. So here are the steps:
Check the name server configured on ISE with command “show run | in name-server”
|
1 2 |
ise-packetnotes/admin# sh run | in name-server ip name-server 10.159.35.101 8.8.8.8 |
Then we need to remove the name servers configured. If we just want to add the third name server, we don’t need to remove the first two name servers.
|
1 2 3 4 5 6 |
ise-packetnotes/admin(config)# no ip name-server 10.159.35.101 DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE for the change to take effect. Do you want to restart ISE now? (yes/no) no ise-packetnotes/admin(config)# no ip name-server 8.8.8.8 DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE for the change to take effect. Do you want to restart ISE now? (yes/no) no |
Do not restart ISE, we will restart ISE after we provide the correct name servers
|
1 2 3 |
ise-packetnotes/admin(config)# ip name-server 10.159.148.236 8.8.8.8 DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE for the change to take effect. Do you want to restart ISE now? (yes/no) yes |
After that, ISE will restart. Restart duration depends on the hardware resources allocated for ISE. To verify all processes are running well after restarting, we can check with command “show application status ise”. During restart process, we can ping the server, but because ISE Application Server is not running, we cannot access the ISE GUI until it is running.
|
1 2 3 4 5 6 7 8 9 |
ise-packetnotes/admin# sh application status ise ISE Database listener is running, PID: 22529 ISE Database is running, number of processes: 36 ISE Application Server is running, PID: 24757 ISE Profiler DB is running, PID: 23626 ISE M&T Session Database is running, PID: 23584 ISE M&T Log Collector is running, PID: 24840 ISE M&T Log Processor is running, PID: 24923 |
Make sure the name server is already changed to the correct ones.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
ise-packetnotes/admin# sh run | in name-server ip name-server 10.159.148.236 8.8.8.8 ise-packetnotes/admin# ping 10.159.148.236 PING 10.159.148.236 (10.159.148.236) 56(84) bytes of data. 64 bytes from 10.159.148.236: icmp_seq=1 ttl=127 time=0.232 ms 64 bytes from 10.159.148.236: icmp_seq=2 ttl=127 time=0.241 ms 64 bytes from 10.159.148.236: icmp_seq=3 ttl=127 time=0.244 ms 64 bytes from 10.159.148.236: icmp_seq=4 ttl=127 time=0.320 ms --- 10.159.148.236 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 0.232/0.259/0.320/0.037 ms |