05-03-2023 06:40 AM
Hello,
I have a customer that has a 2-node ISE deployment on ISE 3.1, Patch 3. These are both virtual appliances.
ISE01 crashed due to CPU, memory and no disk space on VMWare. ISE01 didn't fail over to ISE02. ISE01 was powered down and ISE02 was promoted to PRIMARY. ISE02 came up with a config that was about 6 months ago (possibly longer)
The VMWare issues have been resolved and ISE01 is now in a position to be brought back up from a restore. Do I need to demote ISE02 to secondary and then power off incase ISE01 and 02 both trying to be the PRIMARY mode?
My plan is as follows:
Solved! Go to Solution.
05-03-2023 09:27 AM - edited 05-03-2023 09:28 AM
I would just redeploy ISE02 from scratch as well once you have a working ISE01 restored join to ISE01. Make sure to exports certificates or be prepared to get new CSRs signed.
05-04-2023 08:56 PM
Once you are able to deploy ISE 01 and restored the config backup on it and test the authentications working fine then perform a config reset on the ISE02 using the command " application reset-config ise" (it will keep the basic CLI config intact) and when it prompt, whether to keep the certificates or not, keep the certificates and then once reset is complete, register the node back to ISE01. In this way ISE02 will get new configuration and you can avoid certificate export and import exercise.
05-03-2023 07:02 AM
I recall testing this "splitbrain" in our environment, but could not find the outcome.
If ise did not failover this would also be the plan i would following in my deployment.
You also could do the following
But i would prefer to open a tac case to make sure its correct, they also have the right tools to help is you are not able to restore.
05-03-2023 07:15 AM
05-03-2023 07:43 AM - edited 05-03-2023 07:47 AM
@Anthony O'Reilly does ISE02 which is currently in use require much configuration to bring up to date? You could just deploy ISE01 as a new VM and add to the ISE cluster as a fresh ISE node without having to mess around demoting ISE02 and possibly causing a split brain scenario.
05-03-2023 08:19 AM
05-03-2023 08:45 AM
If you have a valid backup of ISE01, I would probably just re-deploy from that backup at this point.
05-03-2023 09:24 AM
05-03-2023 09:27 AM - edited 05-03-2023 09:28 AM
I would just redeploy ISE02 from scratch as well once you have a working ISE01 restored join to ISE01. Make sure to exports certificates or be prepared to get new CSRs signed.
05-04-2023 08:56 PM
Once you are able to deploy ISE 01 and restored the config backup on it and test the authentications working fine then perform a config reset on the ISE02 using the command " application reset-config ise" (it will keep the basic CLI config intact) and when it prompt, whether to keep the certificates or not, keep the certificates and then once reset is complete, register the node back to ISE01. In this way ISE02 will get new configuration and you can avoid certificate export and import exercise.
05-12-2023 02:31 AM
Thanks for all your comments and help.
Just to let you know what happened, when ISE02 came online, it became the primary appliance with its config sync'd with ISE01.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide