topic Re: Correct procedure of restoring operational backup by CLI command for distributed system in Network Access Control

Correct procedure of restoring operational backup by CLI command for distributed system

masyamad — Sun, 19 Aug 2018 17:37:18 GMT

Hi Team,

Administrator guide introduce different ways to restore operational backup for each deployment when using GUI. It explains deregistering is required before performing restore.

Restore a Monitoring (Operational) Backup in a Standalone Environment

Restore a Monitoring Backup with Administration and Monitor Personas

Restore a Monitoring Backup with a Monitoring Persona

But for CLI operation, no explanation is provided for restoring for distributed system.

Restoration of Configuration or Monitoring (Operational) Backup from the CLI

Does it mean deregistering is not required only when using CLI even for distributed system?

Or something is missing about CLI restore steps?

Deregistering is a not easy operation on production network. So my customer wants to use CLI restore if it doesn't require deregister/re-register. But I'm not sure why deregister/re-register is not required only when using CLI.

Re: Correct procedure of restoring operational backup by CLI command for distributed system

Ping Zhou — Sun, 19 Aug 2018 19:19:27 GMT

Just to share my experience...

I did restore on the Primary node via CLI from 1.4 Configuration Data to 2.0.1 on a 2-node deployment, without deregistering the nodes. At the end of it, the restore function completed successfully, confirmed by command output of show restore history. Then I logged into the Primary, found out it has been put to Standalone deployment.

HTH.

Re: Correct procedure of restoring operational backup by CLI command for distributed system

howon — Mon, 20 Aug 2018 17:52:00 GMT

It looks like CLI steps are missing the information on the distributed deployment, I will work with the doc team to address this. I understand why the customer would want to avoid deregistration, but please follow the steps outlined on the GUI backup/restore procedure.

Re: Correct procedure of restoring operational backup by CLI command for distributed system

masyamad — Tue, 21 Aug 2018 01:53:04 GMT

Thanks for sharing your experience, Ping.

With your comment, I noticed the guide doesn't cover 2 node deployment. Now GUI covers standalone and distributed. I also want to know about that.

Re: Correct procedure of restoring operational backup by CLI command for distributed system

masyamad — Tue, 21 Aug 2018 01:59:39 GMT

Thanks howon. I look forward to the doc update.
BTW according to Ping's experience, restore worked well without deregistration for 2 node deployment. Is it expected result?

And now the guide covers only following scenarios.

No.1: In a Standalone Environment (=simple standalone)
No.2: Backup with Administration and Monitor Personas (=mid size distributed deployment)
No.3: Backup with a Monitoring Persona (=large size distributed deployment)

But it seems not to cover "Backup with Administration, Monitor and Policy Service Node personas (=2 node deployments)".

Could you also tell us the scenario? Is the procedure for the scenario same as either of No.1~3?

Re: Correct procedure of restoring operational backup by CLI command for distributed system

masyamad — Tue, 21 Aug 2018 07:12:17 GMT

Hi Howon,

I tried "Backup with Administration and Monitor Personas" scenario for 2 node deployment, but got abnormal result.
"Show details" on live log or report doesn't show actual information and only show following message.

Does it mean "Backup with Administration and Monitor Personas" scenario can't be applied to 2 node deployment? Please tell me correct restore procedure for the deployment.

My Test Environment.
- 2 node deployment
- Both ISE are VM appliances and running with 2.4 patch2
- At the beginning of the verification, ISE1 is primary PAN/primary MnT/active PSN. ISE2 is secondary PAN/secondary MnT/active PSN.

My Test Steps.
Step1: On ISE1 (primary PAN/primary MnT/active PSN), collect Operational Backup via "Backup now" menu.
Step2: Purge all data via Purge data now.
Step3: Promote ISE2 (secondary PAN/secondary MnT/active PSN) to primary.
            After that, ISE2 became primary PAN/secondary MnT/Active PSN.
Step4: Deregistered ISE1 from the 2 node deployment.
Step5: Restore operational data with backup collected at Step1.
Step6: Register ISE1 from ISE2 GUI.
Step7: Promote ISE1 to primary.
            After that, ISE1 became primary PAN/secondary MnT/Active PSN.
Step8: See some report or live log and click details. But it didn't show information and only show "No Data available for this record. Either the data is purged or authentication for this session record happened a week ago.
Or if this is an 'PassiveID' or 'PassiveID Visibility' session, it will not have authentication details on ISE but only the session.
"

From administration guide...
Before you begin
Purge the old monitoring data.
    Schedule a backup or perform an on-demand backup.

Procedure
Step1 :
Prepare to promote another Cisco ISE node as the PAN, by synchronizing the node with the existing primary node you want to backup.
This ensures that the configuration of the Cisco ISE node you are going to promote is up to date.
Step2 :
Promote the newly synced Administration node to primary status.
Step3:
Prepare to deregister the node to be backed up by assigning the Monitoring persona to another node in the deployment.
A deployment must have at least one functioning Monitoring node.
Step4:
Deregister the node to be backed up.
Step5:
Restore the Monitoring backup to the newly deregistered node.
Step6:
Register the newly restored node with the current Administration node.
Step7:
Promote the newly restored and registered node as the PAN.

Re: Correct procedure of restoring operational backup by CLI command for distributed system

howon — Tue, 21 Aug 2018 20:52:47 GMT

Looks to be defect. I filed it but unicast me directly if defect ID is needed. howon@cisco.com

Re: Correct procedure of restoring operational backup by CLI command for distributed system

masyamad — Wed, 22 Aug 2018 00:50:46 GMT

Thanks for filing defect. BTW how about the correct restore procedure for 2 node deployment? The steps of "Restore a Monitoring Backup with Administration and Monitor Personas" should be applied to the 2 node deployment?

Now the guide shows following 3 scenarios.
No1. Restore a Monitoring (Operational) Backup in a Standalone Environment
No2. Restore a Monitoring Backup with Administration and Monitor Personas
No3. Restore a Monitoring Backup with a Monitoring Persona

When using 2 node deployment, No2 and No3 can be a candidate because all of 3 personas run on both node. Could you confirm not No.3 but No.2 is the correct procedure for the deployment?

Re: Correct procedure of restoring operational backup by CLI command for distributed system

howon — Wed, 22 Aug 2018 01:12:04 GMT

For sake of backup and restore PSN persona is irrelevant since backup is for Config (PAN) and Operations (MnT). For a node that has all three personas, #2 would be applicable.

Re: Correct procedure of restoring operational backup by CLI command for distributed system

masyamad — Wed, 22 Aug 2018 01:24:14 GMT

Thanks. But it not so clear with current document. I hope the information will also be added to the guide.