cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

516
Views
1
Helpful
7
Replies
nhkelley1
Beginner

Cisco ISE 2.3 Migration Tool

Hello;

I am currently migrating ACS 5.8 to ISE 2.3 using the migration tool.  Followed the prerequisites and did a clean export from ACS with no errors (only a few infos). I imported the ACS trusted certificates in to the settings and still getting "FQDN and ISE Host cannot be found" errors during the import to ISE process.  What am I missing?

7 REPLIES 7
Timothy Abbott
Cisco Employee

Hi Ned,

Please reach out to the TAC to investigate further.

Regards,

-Tim

Thank you!

hslai
Cisco Employee

It's not clear whether you imported the ISE system certificate if self-signed or its root CA certificate if the system certificate issued by an external CA. If the correct certificate imported, then ensure using the FQDN of ISE in the migration tool to connect to ISE.

Hello;

Thank you for your reply. I went back and inported the correct trusted certificates for both ACs and ISE. The export completed with out errors. The problem occurs when trying to "Import to ISE". DNS and FQDN issues appear after typing in the login credentials. Again, both trusted certificates contains the CN=host+FQDN. I am not sure what i am missing here.

Appreciate any help or feeback here. Thanks.

If not already done, please review the info @ How to Migrate ACS 5.x to ISE 2.x. In particular, Step 16 in Page 23 says,

Browse ISE 2.x UI and go to system certificate by going toAdministrationSystemCertificatesSystem Certificates. Observe the entry that has usage “admin”. This certificate need to be exported.

Verify the Windows PC running the migration tool is able to ping ISE by its FQDN as shown in the subject or the subject alternative name field in the certificate. If you are unable to add ISE FQDN in the DNS, you may add it to the "hosts" file locally on the Windows PC.

If none of the above helping, then it's best for you to engage TAC so TAC may have a WebEx meeting with you to check the issue directly.

Yes, I can ping the hostname, IP, and FQDN from both the ACS and ISE VM CLI to each other.

My windows workstation also pings both servers.

Issue resolved;

Deleteted and re-installed new ISE certificates into the migration tool.

Previous certificates serial numbers did not match due to new VM rebuild.

Thank you for your assistance and support.

v/r;

Ned

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel