Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4789
Views
5
Helpful
8
Replies

How do I change the IP of ISE if it's the secondary in a group?

Go to solution
Andrew White
Level 2
Level 2

‎10-02-2019 08:47 AM

Hello,

 

We have 2 x Cisco ISE virtual appliances, 1 is in our local VMware hypervisor and the other in our remote datacenter which acts as the standby.

 

We have a new datacenter and I need to move the secondary ISE appliance there so it will have a new IP.  I just don't know the steps involved once's I've moved it over.

 

On ISE I can see in Admin > Deployment there 2 are there in a group but you can't edit it etc.

 

Any steps would be great, thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎10-03-2019 02:41 PM

Yeah, it's a little overkill but would of course still work.

Eddie wrote a great guide on how to handle this though the ADE-OS command "reset-config", not to be confused with the "application reset-config ise" command which wipes the node config.
https://community.cisco.com/t5/security-blogs/reset-ise-host-os-config-with-a-single-cli/ba-p/3660180

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-02-2019 09:40 AM

You will need to change the IP via CLI access. Very similar as to how you would configure an SVI on a L3 switch. Good luck & HTH!
0 Helpful

Go to solution
Andrew White
Level 2
Level 2
In response to Mike.Cifelli

‎10-02-2019 01:28 PM

Thanks that’s sounds simple, so I just shut down the ISE VM and vMotion to the new site, turn on and change the IP, mask and GW and job done? Then both will sync with each other?
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Andrew White

‎10-02-2019 05:44 PM

Yes. You can always re-sync the nodes via your PAN admin GUI after performing the changes. Note that when the ISE nodes are running it is in your best interest to not use vMotion and/or snapshots. Good luck & HTH!
0 Helpful

Go to solution
Andrew White
Level 2
Level 2
In response to Mike.Cifelli

‎10-03-2019 01:23 AM

So it's best to shutdown the secondary and then move and turn on and change the IP info via CLI?

 

Exactly where is the re-sync location in the GUI I'm struggling to locate this?

 

Thanks

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Andrew White

‎10-03-2019 09:29 AM

To re-sync: Administration->System->Deployment->Deployment Nodes->Syncup
0 Helpful

Go to solution
networke networke
Level 1
Level 1
In response to Mike.Cifelli

‎10-03-2019 08:45 AM

Do not do what you've been told so far. There is a right way to do this: step #1: De-register the Secondary node from the cluster in the UI, step #2: change the IP address of the node, this will force ISE application service to restart, step #3: perform "application reset-config ise" step #4: join the ISE back into the cluster. This method works 100% of the time and SUPPORT by Cisco TAC.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to networke networke

‎10-03-2019 10:00 AM

@networke networke wrote:
Do not do what you've been told so far. There is a right way to do this: step #1: De-register the Secondary node from the cluster in the UI, step #2: change the IP address of the node, this will force ISE application service to restart, step #3: perform "application reset-config ise" step #4: join the ISE back into the cluster. This method works 100% of the time and SUPPORT by Cisco TAC.

Doesn't this depend on the type of setup? if this is a standalone HA setup (PAN/PSN/MNT) on same box then wouldn't you recommend just building a new box from scratch and adding it to the primary? Or even if its PAN or MNT?

 

What you're saying is fine for a PSN only.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎10-03-2019 02:41 PM

Yeah, it's a little overkill but would of course still work.

Eddie wrote a great guide on how to handle this though the ADE-OS command "reset-config", not to be confused with the "application reset-config ise" command which wipes the node config.
https://community.cisco.com/t5/security-blogs/reset-ise-host-os-config-with-a-single-cli/ba-p/3660180
0 Helpful
Customers Also Viewed These Support Documents