cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
268
Views
1
Helpful
4
Replies

Cisco ISE 3.1 – Scope of Reboot for Admin Certificate Renewal

bassomarco1998
Level 1
Level 1

Hi all,

We are running a Cisco ISE 3.1P8 cluster with over 20 nodes and are planning to renew the Admin certificates across all nodes, including the Primary Policy Administration Node (PPAN). While reviewing Cisco documentation, I’ve encountered some conflicting information about the impact of this process.

One document mentions that:

Admin protocol changes require a restart of ISE services, resulting in a few minutes of downtime. EAP protocol changes do not trigger service restarts and cause no downtime.

This suggests that updating the Admin certificate on a specific node, including the PPAN, would cause a service reload on that node only.

However, in the ISE 3.3 GUI, I noticed the new “Admin Certificate Node Restart” section, which states that changing the Admin certificate on the PPAN would result in a reboot of the entire cluster.

Given that we're working with ISE 3.1, could you confirm which behavior we should anticipate? Will the change affect only the node where the Admin certificate is updated, or will it trigger a cluster-wide reboot?

Thanks for your assistance!

UPDATE 1: I engaged TAC, and they confirmed, that also in 3.1 the entire cluster reload will be required. Btw can someone confirm this?

UPDATE 2: I just found what it seems the final answer to my doubt. The Admin Guide for 3.1 state that: 

If the Admin check box is checked, then the application server on the Cisco ISE node restarts. In addition, if the Cisco ISE node is the PAN in a deployment, then the application server on all the other nodes in the deployment also restart. The system restarts one node at a time, after the primary PAN restart has completed

 

1 Accepted Solution

Accepted Solutions

Update: We have uploaded and activated the Admin certificate on all nodes, including in the PPAN. After the PPAN rebooted itself, the other nodes did not reboot; therefore, the reboot scope is limited only to that node.

It would be interesting to understand why the guide and the TAC state otherwise.

View solution in original post

4 Replies 4

As per my experience renewing the admin certificate will only trigger ISE application services restart on that affected node and not on any of the other nodes in the cluster.

Thanks for your reply @Aref Alsouqi .

We will schedule a manteinance window and we will see which node will be affected by the reload of the application server.
I will update this thread as well.

Sounds good and you're welcome Marco.

Update: We have uploaded and activated the Admin certificate on all nodes, including in the PPAN. After the PPAN rebooted itself, the other nodes did not reboot; therefore, the reboot scope is limited only to that node.

It would be interesting to understand why the guide and the TAC state otherwise.