09-26-2024 02:05 AM - edited 09-26-2024 02:27 AM
Hi all,
We are running a Cisco ISE 3.1P8 cluster with over 20 nodes and are planning to renew the Admin certificates across all nodes, including the Primary Policy Administration Node (PPAN). While reviewing Cisco documentation, I’ve encountered some conflicting information about the impact of this process.
One document mentions that:
Admin protocol changes require a restart of ISE services, resulting in a few minutes of downtime. EAP protocol changes do not trigger service restarts and cause no downtime.
This suggests that updating the Admin certificate on a specific node, including the PPAN, would cause a service reload on that node only.
However, in the ISE 3.3 GUI, I noticed the new “Admin Certificate Node Restart” section, which states that changing the Admin certificate on the PPAN would result in a reboot of the entire cluster.
Given that we're working with ISE 3.1, could you confirm which behavior we should anticipate? Will the change affect only the node where the Admin certificate is updated, or will it trigger a cluster-wide reboot?
Thanks for your assistance!
UPDATE 1: I engaged TAC, and they confirmed, that also in 3.1 the entire cluster reload will be required. Btw can someone confirm this?
UPDATE 2: I just found what it seems the final answer to my doubt. The Admin Guide for 3.1 state that:
If the Admin check box is checked, then the application server on the Cisco ISE node restarts. In addition, if the Cisco ISE node is the PAN in a deployment, then the application server on all the other nodes in the deployment also restart. The system restarts one node at a time, after the primary PAN restart has completed
Solved! Go to Solution.
10-11-2024 01:58 AM
Update: We have uploaded and activated the Admin certificate on all nodes, including in the PPAN. After the PPAN rebooted itself, the other nodes did not reboot; therefore, the reboot scope is limited only to that node.
It would be interesting to understand why the guide and the TAC state otherwise.
09-26-2024 02:45 AM
As per my experience renewing the admin certificate will only trigger ISE application services restart on that affected node and not on any of the other nodes in the cluster.
09-26-2024 03:34 AM - edited 09-26-2024 11:09 AM
Thanks for your reply @Aref Alsouqi .
We will schedule a manteinance window and we will see which node will be affected by the reload of the application server.
I will update this thread as well.
09-26-2024 03:39 AM
Sounds good and you're welcome Marco.
10-11-2024 01:58 AM
Update: We have uploaded and activated the Admin certificate on all nodes, including in the PPAN. After the PPAN rebooted itself, the other nodes did not reboot; therefore, the reboot scope is limited only to that node.
It would be interesting to understand why the guide and the TAC state otherwise.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide