Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4613
Views
0
Helpful
3
Replies

Broken ISE deployment

Go to solution
walfors
Level 1
Level 1

‎11-21-2013 09:47 AM - edited ‎03-10-2019 09:07 PM

Hi all,

I need to change the IP addresses in an ISE 1.2 HA deployment (a primary/secondary pair). The tricky part is that the deployment was broken before I could get my hands on the servers.

I can make the primary server stand alone, and perform the address change, but for the secondary server I do not seem to have that option.

So what is the proper procedure to be able to reconfigure the IP address of a "broken" secondary server?

Thanks,

Lennart

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎11-21-2013 11:17 AM

Since it's the secondary, I wouldn't spend too much time getting frustrated over it.  A re-image might be just the cure you're looking for.

You can still do backups from the "broken" secondary?  That way, you always have a failsafe.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

View solution in original post

0 Helpful

Go to solution
Naresh Ginjupalli
Cisco Employee
Cisco Employee

‎11-22-2013 05:18 AM

Hi Walfors,

The good part here is that you are able to successfully make your Primary node as standalone. You can take the backup of this standalone node to be on safer side.

Normally when you perform the deregister operation from Primary ISE node, then the secondary node will be turned to standalone and you will be having a safe standalone node.

As you are saying that your secondary node even after de-registering from primary it is still in Secondary mode and you cannot do any operations to this Secondary node.

If you are having concern about the certificates then I would recommend to take the backup of certificates by logging into secondary node GUI and go to  Administration -->Server Certificates -->Click on the certificate you want to export and then click on export button.

Now you are good to perform the reset-config operation on your secondary ISE node. Go to CLI and trigger the command "application reset-config ise ". This command will reset all your exisiting data with the default data .

Once after succesful completion of reset-config operation then if required you can restore the certificates that were exported and then join this node back to the deployment.

This way is the clean setup process.

If you do not want to perform the reset-config operation and need to be debugged further why the deployment is broken I would suggest you to raise service request with TAC .

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎11-21-2013 11:17 AM

Since it's the secondary, I wouldn't spend too much time getting frustrated over it.  A re-image might be just the cure you're looking for.

You can still do backups from the "broken" secondary?  That way, you always have a failsafe.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

Go to solution
Naresh Ginjupalli
Cisco Employee
Cisco Employee

‎11-22-2013 05:18 AM

Hi Walfors,

The good part here is that you are able to successfully make your Primary node as standalone. You can take the backup of this standalone node to be on safer side.

Normally when you perform the deregister operation from Primary ISE node, then the secondary node will be turned to standalone and you will be having a safe standalone node.

As you are saying that your secondary node even after de-registering from primary it is still in Secondary mode and you cannot do any operations to this Secondary node.

If you are having concern about the certificates then I would recommend to take the backup of certificates by logging into secondary node GUI and go to  Administration -->Server Certificates -->Click on the certificate you want to export and then click on export button.

Now you are good to perform the reset-config operation on your secondary ISE node. Go to CLI and trigger the command "application reset-config ise ". This command will reset all your exisiting data with the default data .

Once after succesful completion of reset-config operation then if required you can restore the certificates that were exported and then join this node back to the deployment.

This way is the clean setup process.

If you do not want to perform the reset-config operation and need to be debugged further why the deployment is broken I would suggest you to raise service request with TAC .

0 Helpful

Go to solution
walfors
Level 1
Level 1
In response to Naresh Ginjupalli

‎12-01-2013 09:48 AM

Charles & ginjupa,

Thank you for your answers. I stopped crying and did the "application reset-config ise"! The deployment was quickly restored.

Best ones,

Lennart

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents