cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
3
Helpful
9
Replies

Bring ISE01 back into service.

Hello,

 

I have a customer that has a 2-node ISE deployment on ISE 3.1, Patch 3. These are both virtual appliances.

ISE01 crashed due to CPU, memory and no disk space on VMWare. ISE01 didn't fail over to ISE02. ISE01 was powered down and ISE02 was promoted to PRIMARY. ISE02 came up with a config that was about 6 months ago (possibly longer)

The VMWare issues have been resolved and ISE01 is now in a position to be brought back up from a restore. Do I need to demote ISE02 to secondary and then power off incase ISE01 and 02 both trying to be the PRIMARY mode?

My plan is as follows:

  • demote ISE02 to secondary
  • power down ISE02
  • power up ISE (it should be primary with latest config)
  • confirm that all is as expected.
  • confirm that clients can connect to network (wired and wireless)
  • power up ISE02, it should come up as secondary.
  • config from ISE01 should sync to ISE02

 

2 Accepted Solutions

Accepted Solutions

I would just redeploy ISE02 from scratch as well once you have a working ISE01 restored join to ISE01.  Make sure to exports certificates or be prepared to get new CSRs signed.  

View solution in original post

Once you are able to deploy ISE 01 and restored the config backup on it and test the authentications working fine then perform a config reset on the ISE02 using the command " application reset-config ise" (it will keep the basic CLI config intact) and when it prompt, whether to keep the certificates or not, keep the certificates and then once reset is complete, register the node back to ISE01. In this way ISE02 will get new configuration and you can avoid certificate export and import exercise.

View solution in original post

9 Replies 9

Arne Vellinga
Level 1
Level 1

I recall testing this "splitbrain" in our environment, but could not find the outcome.

If ise did not failover this would also be the plan i would following in my deployment.

You also could do the following

  • power down ISE02
  • power up ISE01 
  • confirm it works
  • Remove ISE02 from sync
  • Create a new ISE02 instance and sync it

But i would prefer to open a tac case to make sure its correct, they also have the right tools to help is you are not able to restore.

Yes, that's what I am hoping to avoid. Split-brain.

@Anthony O'Reilly does ISE02 which is currently in use require much configuration to bring up to date? You could just deploy ISE01 as a new VM and add to the ISE cluster as a fresh ISE node without having to mess around demoting ISE02 and possibly causing a split brain scenario.

Hi Rob,
It has a lot of profiling missing as well as identity groups missing. I am not 100% confident with the current config of ISE02. That's why I am hoping to use the restore of ISE01 to bring everything back to the way it was.

If you have a valid backup of ISE01, I would probably just re-deploy from that backup at this point.

Thanks, in your opinion, should I demote ISE02? The plan is to re-deploy ISE01 from backup, bring up ISE02 and sync.

I would just redeploy ISE02 from scratch as well once you have a working ISE01 restored join to ISE01.  Make sure to exports certificates or be prepared to get new CSRs signed.  

Once you are able to deploy ISE 01 and restored the config backup on it and test the authentications working fine then perform a config reset on the ISE02 using the command " application reset-config ise" (it will keep the basic CLI config intact) and when it prompt, whether to keep the certificates or not, keep the certificates and then once reset is complete, register the node back to ISE01. In this way ISE02 will get new configuration and you can avoid certificate export and import exercise.

Thanks for all your comments and help.

Just to let you know what happened, when ISE02 came online, it became the primary appliance with its config sync'd with ISE01.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: