cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
848
Views
1
Helpful
3
Replies

Cisco ISE 3.1 got corrupted In Seystem Cert renewal

Cisco_Newster
Level 1
Level 1

Hello,

One of my Cisco ISE 3.1 got corrupted (DB corruption) when I tried to change the ISE signed admin certificate to a self-signed certificate from my CA. Essentially the node stopped the services and was never able to fully deploy them again. The database was corrupt, and Cisco Support could not repair it. Therefore, reimage was necessary.

I've never had a problem like this, that the database was corrupted during a "certificate change process". May the corruption be triggered by some certificate problems/mismatch? or may the ISE be faulty? I am asking because its not the first time this specific ISE Node was Corrupted and needed a Reimage. I think normally you should be able to at least creat a new Cert over CLI if there are some issues with the new certificate?

1 Accepted Solution

Accepted Solutions

Hello Thomas

We changed the Certificat for the Admin Rule on the ISE, and in the Process (restart of ISE Services) the ISE DB Corrupted. This was also checked with Tac Engineer. My question was if this may happen when there are Issue with a certificate or may it be becous of a faulty ISE, and the Restart of the Services may have triggert the DB Issue.

Thank you for ansering, as you responded i thnik the DB Corupption may happen becous of the foulty ISE and not becous of the Cert Change.

Thanks and Regards

Daniel

View solution in original post

3 Replies 3

thomas
Cisco Employee
Cisco Employee

I don't know how an ISE certificate change/update would cause an entire database corruption.

You said it is not the first time you've had problems with this node getting corrupted but there are no details to understand why this might be happening.

For ISE CLI commands for certificate management, see the Cisco Identity Services Engine CLI Reference Guide, Release 3.3 and use application configure ise for export and import options to backup and restore Cisco ISE CA certificates and keys

ise/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]Recreate undotablespace
[26]Configure TCP params
[27]Reset Upgrade Tables and Proceed with upgrade
[28]Recreate Temp tablespace
[29]Clear Sysaux tablespace
[30]Fetch SGA/PGA Memory usage
[31]Generate Self-Signed Admin Certificate
[32]View Certificates in NSSDB or CA_NSSDB
[33]Recreate REPLOGNS tablespace
[34]View Native IPSec status
[0]Exit

Hello Thomas

We changed the Certificat for the Admin Rule on the ISE, and in the Process (restart of ISE Services) the ISE DB Corrupted. This was also checked with Tac Engineer. My question was if this may happen when there are Issue with a certificate or may it be becous of a faulty ISE, and the Restart of the Services may have triggert the DB Issue.

Thank you for ansering, as you responded i thnik the DB Corupption may happen becous of the foulty ISE and not becous of the Cert Change.

Thanks and Regards

Daniel

I have absolutely no idea why a certificate would cause a corruption. Your TAC engineer has far more details and access to the logs so you should ask them.