topic Hello Charles, thank you very in Network Access Control

Best Practise for rebooting ISE Nodes?

Benjamin Lehner — Mon, 11 Mar 2019 05:09:23 GMT

Hello Community,

I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.

(Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)

I would shutdown ISE02, move it to our new VMWare environment and start it again.

Than I would do this with our ISE01 Node...

Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?

Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?

Any tasks after reboot?

Thank you for any answer!

ISE01
Administration, Monitoring, Policy Service
PRI(A), SEC(M)

ISE02
Administration, Monitoring, Policy Service
SEC(A), PRI(M)

There is a lot to consider

Charlie Moreton — Thu, 30 Oct 2014 13:26:46 GMT

There is a lot to consider here. If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things. If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment. Then spin-up a new Secondary node and register it on the Primary. Once this is done, you can re-host the license from your old environment onto your new environment. You can use this tool to re-host:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999

If IP Addressing is to remain the same, it gets simpler.

First, and always, perform a configuration and operational backup.

If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes. Transfer them to the New Environment and turn them on, Primary Node first, of course.

If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment. Start the Secondary Node and when it is up, shut down the Primary Node. Once services on the primary node have stopped, promote the Secondary Node to Primary Node.

Transfer the OLD Primary Node to the New Environment and turn it on. It should assume the role of Secondary Node. If it does not, assign that role through the GUI.

Remember, the correct way to shut down an ISE node is:

application stop ise

halt

By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.

Charles Moreton

Hello Charles, thanks for

Benjamin Lehner — Thu, 30 Oct 2014 13:37:06 GMT

Hello Charles,

thanks for your reply. The network addresses dont changes.

So, just few further questions:

How to promote the secondary to primary node? (Do you got an Link for me?)

Can I do the movment without changeing the primary/secondary roles?

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

How to promote the secondary

Charlie Moreton — Thu, 30 Oct 2014 13:51:50 GMT

How to promote the secondary to primary node? (Do you got an Link for me?)

Here is the link to show how to promote the node:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1128454

Can I do the movment without changeing the primary/secondary roles?

If you can schedule the move with expected downtime, then yes.

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

True, and that is the reason for having a Secondary Node, however, if there is an extended amount of time between moving the Primary Node, other anomalies may occur.

Hello Charles, thank you very

Benjamin Lehner — Thu, 30 Oct 2014 13:56:31 GMT

Hello Charles,

thank you very much.

Kind regards

Benjamin

Happy to help.Good luck with

Charlie Moreton — Thu, 30 Oct 2014 14:16:13 GMT

Happy to help.

Good luck with your ISE move.

Charles Moreton

Hello Charly,one more further

Benjamin Lehner — Thu, 30 Oct 2014 15:47:30 GMT

Hello Charly,

one more further question about changing primary/secondary role:

My installation:

node01

- Admin, Policy

node02

- Monitoring, Policy

In your link I read:

"You can only promote a secondary Administration node to become a primary Administration node. Cisco ISE nodes that assume only the Policy Service or Monitoring persona, or both, cannot be promoted to a primary Administration node."

So it is not possible to promote this node to primary admin node?

--> I dont got an Option like " Promote to Primary ." in the edit page of my noedes... what dos this mean?

Add the secondary Admin Node

Charlie Moreton — Thu, 30 Oct 2014 16:12:15 GMT

Add the secondary Admin Node persona to the Secondary Node before moving the VM