04-10-2018 10:30 AM
Hello;
I am currently migrating ACS 5.8 to ISE 2.3 using the migration tool. Followed the prerequisites and did a clean export from ACS with no errors (only a few infos). I imported the ACS trusted certificates in to the settings and still getting "FQDN and ISE Host cannot be found" errors during the import to ISE process. What am I missing?
04-10-2018 11:16 AM
Hi Ned,
Please reach out to the TAC to investigate further.
Regards,
-Tim
04-10-2018 11:20 AM
Thank you!
04-10-2018 09:44 PM
It's not clear whether you imported the ISE system certificate if self-signed or its root CA certificate if the system certificate issued by an external CA. If the correct certificate imported, then ensure using the FQDN of ISE in the migration tool to connect to ISE.
04-12-2018 11:33 AM
Hello;
Thank you for your reply. I went back and inported the correct trusted certificates for both ACs and ISE. The export completed with out errors. The problem occurs when trying to "Import to ISE". DNS and FQDN issues appear after typing in the login credentials. Again, both trusted certificates contains the CN=host+FQDN. I am not sure what i am missing here.
Appreciate any help or feeback here. Thanks.
04-12-2018 11:57 AM
If not already done, please review the info @ How to Migrate ACS 5.x to ISE 2.x. In particular, Step 16 in Page 23 says,
Browse ISE 2.x UI and go to system certificate by going toAdministrationSystemCertificatesSystem Certificates. Observe the entry that has usage “admin”. This certificate need to be exported.
Verify the Windows PC running the migration tool is able to ping ISE by its FQDN as shown in the subject or the subject alternative name field in the certificate. If you are unable to add ISE FQDN in the DNS, you may add it to the "hosts" file locally on the Windows PC.
If none of the above helping, then it's best for you to engage TAC so TAC may have a WebEx meeting with you to check the issue directly.
04-12-2018 12:05 PM
Yes, I can ping the hostname, IP, and FQDN from both the ACS and ISE VM CLI to each other.
My windows workstation also pings both servers.
04-12-2018 01:24 PM
Issue resolved;
Deleteted and re-installed new ISE certificates into the migration tool.
Previous certificates serial numbers did not match due to new VM rebuild.
Thank you for your assistance and support.
v/r;
Ned
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide