https://community.cisco.com/t5/network-access-control/ise-loss-of-all-nodes-in-a-distributed-deployment-recovery-using/m-p/2485339#M90548 <P>Hi Experts,</P><P>&nbsp;</P><P>I have a question regarding ISE disaster recovery with same hostname and IP. For step 2, is it a must to generate a self signed cert? is it possible to use back to original N1 CA- signed certificate?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P class="pBl_BlockLabel" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight: bold; margin: 1px 0em 6px; line-height: normal;">esolution Steps</P><P><A name="wp1073092" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNF_NumFirst" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.25in; text-indent: -0.25in; line-height: normal;"><B>1.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />Obtain the N1 backup and restore it on N1A. See&nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html#wp1053926" style="color: rgb(51, 102, 204);" target="_blank">"Restoring Data from a Backup" section</A><SPAN class="cXRef_Color" style="color: blue;">&nbsp;</SPAN>for more information. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.</P><P><A name="wp1073095" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNN_NumNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.25in; text-indent: -0.25in; line-height: normal;"><SPAN style="color:#FF0000;"><B>2.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />You must generate a new self-signed certificate. See&nbsp;</SPAN><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_man_cert.html#wpxref98538" style="color: rgb(51, 102, 204);" target="_blank"><SPAN style="color:#FF0000;">"Generating a Self-Signed Certificate" section</SPAN></A><SPAN style="color:#FF0000;">&nbsp;for more information.</SPAN></P><P><A name="wp1073099" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNN_NumNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.25in; text-indent: -0.25in; line-height: normal;"><B>3.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />You must log in to the Cisco ISE user interface on N1A, choose&nbsp;<B class="cCN_CmdName">Administration &gt; System &gt; Deployment</B>, and do the following:</P><P><A name="wp1073100" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNsF_NumsubFirst" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;"><B>a.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />Delete the old N2 node. See&nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_dis_deploy.html#wpxref36346" style="color: rgb(51, 102, 204);" target="_blank">"Removing a Node from Deployment" section</A>&nbsp;for more information.</P><P><A name="wp1073102" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;"><B>b.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />Register the new N2A node as a secondary node. See&nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_dis_deploy.html#wpxref46230" style="color: rgb(51, 102, 204);" target="_blank">"Registering and Configuring a Secondary Node" section</A><SPAN class="cXRef_Color" style="color: blue;">&nbsp;</SPAN>for more information. Data from the N1A node will be replicated to the N2A node.</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;">&nbsp;</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;">&nbsp;</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;">&nbsp;</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;"><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html" target="_blank">http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html</A></P> Mon, 11 Mar 2019 04:43:08 GMT Tai Eric 2019-03-11T04:43:08Z https://community.cisco.com/t5/network-access-control/ise-loss-of-all-nodes-in-a-distributed-deployment-recovery-using/m-p/2485339#M90548 <P>Hi Experts,</P><P>&nbsp;</P><P>I have a question regarding ISE disaster recovery with same hostname and IP. For step 2, is it a must to generate a self signed cert? is it possible to use back to original N1 CA- signed certificate?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P class="pBl_BlockLabel" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight: bold; margin: 1px 0em 6px; line-height: normal;">esolution Steps</P><P><A name="wp1073092" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNF_NumFirst" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.25in; text-indent: -0.25in; line-height: normal;"><B>1.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />Obtain the N1 backup and restore it on N1A. See&nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html#wp1053926" style="color: rgb(51, 102, 204);" target="_blank">"Restoring Data from a Backup" section</A><SPAN class="cXRef_Color" style="color: blue;">&nbsp;</SPAN>for more information. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.</P><P><A name="wp1073095" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNN_NumNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.25in; text-indent: -0.25in; line-height: normal;"><SPAN style="color:#FF0000;"><B>2.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />You must generate a new self-signed certificate. See&nbsp;</SPAN><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_man_cert.html#wpxref98538" style="color: rgb(51, 102, 204);" target="_blank"><SPAN style="color:#FF0000;">"Generating a Self-Signed Certificate" section</SPAN></A><SPAN style="color:#FF0000;">&nbsp;for more information.</SPAN></P><P><A name="wp1073099" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNN_NumNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.25in; text-indent: -0.25in; line-height: normal;"><B>3.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />You must log in to the Cisco ISE user interface on N1A, choose&nbsp;<B class="cCN_CmdName">Administration &gt; System &gt; Deployment</B>, and do the following:</P><P><A name="wp1073100" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNsF_NumsubFirst" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;"><B>a.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />Delete the old N2 node. See&nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_dis_deploy.html#wpxref36346" style="color: rgb(51, 102, 204);" target="_blank">"Removing a Node from Deployment" section</A>&nbsp;for more information.</P><P><A name="wp1073102" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 13px; line-height: normal; background-color: rgb(255, 255, 255);" target="_blank"></A></P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;"><B>b.&nbsp;</B><IMG alt="" border="0" height="2" src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" width="10" />Register the new N2A node as a secondary node. See&nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_dis_deploy.html#wpxref46230" style="color: rgb(51, 102, 204);" target="_blank">"Registering and Configuring a Secondary Node" section</A><SPAN class="cXRef_Color" style="color: blue;">&nbsp;</SPAN>for more information. Data from the N1A node will be replicated to the N2A node.</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;">&nbsp;</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;">&nbsp;</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;">&nbsp;</P><P class="pNsN_NumsubNext" style="color: rgb(0, 0, 0); font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin-right: 0em; margin-bottom: 7px; margin-left: 0.9in; text-indent: -0.25in; line-height: normal;"><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html" target="_blank">http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html</A></P> Mon, 11 Mar 2019 04:43:08 GMT https://community.cisco.com/t5/network-access-control/ise-loss-of-all-nodes-in-a-distributed-deployment-recovery-using/m-p/2485339#M90548 Tai Eric 2019-03-11T04:43:08Z https://community.cisco.com/t5/network-access-control/ise-loss-of-all-nodes-in-a-distributed-deployment-recovery-using/m-p/2485340#M90550 <P>Hi,</P><P>The reason for asking to create a self signed cert is , the subject name of the certificate should match&nbsp; ISE node FQDN. If you import the N1 node CA- signed certificate, that certificate will have the hostname of N1 node as its subject name and it will not work.</P><P>So you have to create a self signed certificate or get a new CA signed certificate with subject name as&nbsp;N1A node FQDN.</P><P>Hope this clarifies the reason of self signed certificate.</P> Wed, 10 Sep 2014 17:46:31 GMT https://community.cisco.com/t5/network-access-control/ise-loss-of-all-nodes-in-a-distributed-deployment-recovery-using/m-p/2485340#M90550 Naresh Ginjupalli 2014-09-10T17:46:31Z https://community.cisco.com/t5/network-access-control/ise-loss-of-all-nodes-in-a-distributed-deployment-recovery-using/m-p/2485341#M90552 <P>As long as:</P><P>- The newly built node has the same FQDN</P><P>- You have the original signed certificate and private key</P><P>- Root's and subordinate's (If any) CA certificates</P><P>Then you should be able to just re-import the cert.</P><P>&nbsp;</P><P><EM>Thank you for rating helpful posts!</EM></P> Thu, 11 Sep 2014 22:18:19 GMT https://community.cisco.com/t5/network-access-control/ise-loss-of-all-nodes-in-a-distributed-deployment-recovery-using/m-p/2485341#M90552 nspasov 2014-09-11T22:18:19Z