search

CiscoISE / ciscoise-terraform-automation-aws-nodes

CiscoISE End to End deployment and configuration via Terraform for AWS
Apache License 2.0
3 stars 1 forks source link

Support for external DNS and NTP servers #12

Open bando483 opened 1 month ago

bando483 commented 1 month ago

Is there an existing issue for this?

Description

Hi I'm working with terraform /python scripts to deploy an full ISE environment but I have a private DNS and Domain controller server so I would like to not use Route53 but instead rely on my Active Directory. I have some questions for this: 1- if I comment / unuse the whole Route53 module is the deployment expected to work? Actually terraform deploy ended successfully and state machine function as well but PSN and Secondary Pan seems not registered to primary PAN. 2- I need to set 2 DNS server but the script foresees just to set a single primarynameserver; how can I set a second one? 3- same question for bullet 2, but regarding ntp server.

thanks Alessio

New or Affected Resource(s)/Data Source(s)

NEW

Potential ISE Automation Configuration

could something like the followings in userdata.tftpl  work?

primarynameserver=${primarynameserver}
secondarynameserver=${secondarynameserver}
primaryntpserver=${primaryntpserver}
secondaryntpserver=${secondaryntpserver}
bhadeshp commented 1 month ago

Hi @bando483 - Thanks for reaching out, we are checking this and will get back to you

sudhanss commented 1 month ago

Hi Alessio (@bando483),

To debug this further could you please confirm below points -

1- Is the state machine execution successful? 2- If you have used your private DNS, could you please confirm if the same got configured during ISE installation? To check this you can execute show running-config in all ISE nodes and look for “ip name-server” and “ntp server“. 3- Please confirm is DNS is reachable from all ISE nodes and DNS has correct hosts entries as per installed ISE nodes with correct IPs and deployed ISE nodes are able to resolve other ISE nodes FQDN? 4- Could you please also share Primary Admin node Deployment page UI screen capture?

Please note when we use terraform script to deployment ISE cluster with New VPC, ISE nodes are deployed in Private subnet, where configuring private DNS reachability before deployment starts is not possible until we monitor terraform execution and update VPC/Private subnet to reach to private DNS, so even if terraform execution succeeds, deployment formation will fail.

If we use these script to deploy ISE cluster in existing VPC then Deployment will be successful. (Provided right DNS/NTP are configured in ISE nodes, refer point#2)

As of now till Cisco ISE release 3.3, multiple DNS/NTP in cloud is not supported, We have this feature coming up in Cisco ISE release 3.4 and accordingly terraform scripts and README will be updated to use the same.

Thanks & Regards, Sudhanshu

bando483 commented 1 month ago

Hi

thank for the feedback on multiple DNS/NTP.. i'm gonna wait for next release.

regarding the error, I confirm reachability of DNS is present but I noticed an issue on DNS entries, so I guess this is why the nodes have not been registered. could it be?

by the wait, the state machine ended successfully even though the nodes are not registered and I guess this is a bug since I expected a failure of STate Machine

regards Alessio

sudhanss commented 1 month ago

Yes, you are right. If DNS entries are not correct as per ISE deployed ISE nodes, then ISE Deployment node registration will fail.

however, if state machine executed shows success even after failed node registration, then it could be a possible bug. To confirm that could you please share state machine execution logs?

Thanks & Regards, Sudhanshu

bando483 commented 1 month ago

Hi Sorry, but I have already destroyed the not working deployment.

Do you have any chance to test it on your side?

Regards Alessio

From: Sudhanshu Sharma @.> Sent: jeudi 25 juillet 2024 10:58 To: CiscoISE/ciscoise-terraform-automation-aws-nodes @.> Cc: Bandini Alessio @.>; Mention @.> Subject: Re: [CiscoISE/ciscoise-terraform-automation-aws-nodes] Support for external DNS and NTP servers (Issue #12)

CAUTION! This message was sent from OUTSIDE of the company. Please do not provide any confidential information or click on any link and attachment unless you recognize the sender.

Yes, you are right. If DNS entries are not correct as per ISE deployed ISE nodes, then ISE Deployment node registration will fail.

however, if state machine executed shows success even after failed node registration, then it could be a possible bug. To confirm that could you please share state machine execution logs?

Thanks & Regards, Sudhanshu

— Reply to this email directly, view it on GitHubhttps://github.com/CiscoISE/ciscoise-terraform-automation-aws-nodes/issues/12#issuecomment-2249823063, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASRQW2OSRV6MY7JZLXOZ2QLZOC4Y7AVCNFSM6AAAAABLDB3K3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBZHAZDGMBWGM. You are receiving this because you were mentioned.Message ID: @.***>

bando483 commented 1 month ago

Hi

I deployed an infrastructure on Milan Region with 2 PAN/MTRs and 4 PSNs.

the deploy ended successfully via terraform and all the nodes can reach the DNS and NTP and can be pinged

The State Machine ended with this error; please see the screenshots below

@. @. Can you please support me? Alessio

From: Sudhanshu Sharma @.> Sent: lundi 22 juillet 2024 20:39 To: CiscoISE/ciscoise-terraform-automation-aws-nodes @.> Cc: Bandini Alessio @.>; Mention @.> Subject: Re: [CiscoISE/ciscoise-terraform-automation-aws-nodes] Support for external DNS and NTP servers (Issue #12)

CAUTION! This message was sent from OUTSIDE of the company. Please do not provide any confidential information or click on any link and attachment unless you recognize the sender.

Hi Alessio @.***https://github.com/bando483),

To debug this further could you please confirm below points -

1- Is the state machine execution successful? 2- If you have used your private DNS, could you please confirm if the same got configured during ISE installation? To check this you can execute show running-config in all ISE nodes and look for “ip name-server” and “ntp server“. 3- Please confirm is DNS is reachable from all ISE nodes and DNS has correct hosts entries as per installed ISE nodes with correct IPs and deployed ISE nodes are able to resolve other ISE nodes FQDN? 4- Could you please also share Primary Admin node Deployment page UI screen capture?

Please note when we use terraform script to deployment ISE cluster with New VPC, ISE nodes are deployed in Private subnet, where configuring private DNS reachability before deployment starts is not possible until we monitor terraform execution and update VPC/Private subnet to reach to private DNS, so even if terraform execution succeeds, deployment formation will fail.

If we use these script to deploy ISE cluster in existing VPC then Deployment will be successful. (Provided right DNS/NTP are configured in ISE nodes, refer point#2)

As of now till Cisco ISE release 3.3, multiple DNS/NTP in cloud is not supported, We have this feature coming up in Cisco ISE release 3.4 and accordingly terraform scripts and README will be updated to use the same.

Thanks & Regards, Sudhanshu

— Reply to this email directly, view it on GitHubhttps://github.com/CiscoISE/ciscoise-terraform-automation-aws-nodes/issues/12#issuecomment-2243583212, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASRQW2IT7UF4IX4MSQ5MOKDZNVGS3AVCNFSM6AAAAABLDB3K3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBTGU4DGMRRGI. You are receiving this because you were mentioned.Message ID: @.***>

sudhanss commented 1 month ago

I do not see screen capture here Alessio(@bando483 ), Could you please help me with the cloudwatch logs for failed state to debug the issue.

sudhanss commented 1 month ago

Update - I am able to reproduce the issue where Step Function work flow succeeds even if node registration fails. This is a bug in code , we will fix it by enhancing error Handling for register node state. Please note this do not impact positive flow. In above scenario as DNS was bot reachable from ISE nodes, deployment register node failed however the same was not reflecting in step function state due to missing error handling.

bando483 commented 1 month ago

Have you already fixed the bug and the code is already available? I would like to use more stable code in my production deploy.. expected for tomorrow end of day Italy time Thanks Inviato da iPhone

Il giorno 28 lug 2024, alle ore 10:42, Sudhanshu Sharma @.***> ha scritto:

 CAUTION! This message was sent from OUTSIDE of the company. Please do not provide any confidential information or click on any link and attachment unless you recognize the sender.

Update - I am able to reproduce the issue where Step Function work flow succeeds even if node registration fails. This is a bug in code , we will fix it by enhancing error Handling for register node state.

— Reply to this email directly, view it on GitHubhttps://github.com/CiscoISE/ciscoise-terraform-automation-aws-nodes/issues/12#issuecomment-2254396896, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASRQW2LDHD4BN5LVP6RF74TZOSVGVAVCNFSM6AAAAABLDB3K3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJUGM4TMOBZGY. You are receiving this because you were mentioned.Message ID: @.***>

sudhanss commented 1 month ago

Fix is in progress, we will update once changes are merged.