Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
1
Helpful
7
Replies

Cisco ISE 2.3 Migration Tool

nhkelley1
Level 1
Level 1

‎04-10-2018 10:30 AM

Hello;

I am currently migrating ACS 5.8 to ISE 2.3 using the migration tool.  Followed the prerequisites and did a clean export from ACS with no errors (only a few infos). I imported the ACS trusted certificates in to the settings and still getting "FQDN and ISE Host cannot be found" errors during the import to ISE process.  What am I missing?

7 Replies 7

Timothy Abbott
Cisco Employee
Cisco Employee

‎04-10-2018 11:16 AM

Hi Ned,

Please reach out to the TAC to investigate further.

Regards,

-Tim

0 Helpful

nhkelley1
Level 1
Level 1
In response to Timothy Abbott

‎04-10-2018 11:20 AM

Thank you!

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎04-10-2018 09:44 PM

It's not clear whether you imported the ISE system certificate if self-signed or its root CA certificate if the system certificate issued by an external CA. If the correct certificate imported, then ensure using the FQDN of ISE in the migration tool to connect to ISE.

0 Helpful

nhkelley1
Level 1
Level 1
In response to hslai

‎04-12-2018 11:33 AM

Hello;

Thank you for your reply. I went back and inported the correct trusted certificates for both ACs and ISE. The export completed with out errors. The problem occurs when trying to "Import to ISE". DNS and FQDN issues appear after typing in the login credentials. Again, both trusted certificates contains the CN=host+FQDN. I am not sure what i am missing here.

Appreciate any help or feeback here. Thanks.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to nhkelley1

‎04-12-2018 11:57 AM

If not already done, please review the info @ How to Migrate ACS 5.x to ISE 2.x. In particular, Step 16 in Page 23 says,

Browse ISE 2.x UI and go to system certificate by going toAdministrationSystemCertificatesSystem Certificates. Observe the entry that has usage “admin”. This certificate need to be exported.

Verify the Windows PC running the migration tool is able to ping ISE by its FQDN as shown in the subject or the subject alternative name field in the certificate. If you are unable to add ISE FQDN in the DNS, you may add it to the "hosts" file locally on the Windows PC.

If none of the above helping, then it's best for you to engage TAC so TAC may have a WebEx meeting with you to check the issue directly.

0 Helpful

nhkelley1
Level 1
Level 1
In response to hslai

‎04-12-2018 12:05 PM

Yes, I can ping the hostname, IP, and FQDN from both the ACS and ISE VM CLI to each other.

My windows workstation also pings both servers.

0 Helpful

nhkelley1
Level 1
Level 1
In response to hslai

‎04-12-2018 01:24 PM

Issue resolved;

Deleteted and re-installed new ISE certificates into the migration tool.

Previous certificates serial numbers did not match due to new VM rebuild.

Thank you for your assistance and support.

v/r;

Ned

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents