Solved: Re: ISE reimage using CISM

mothukuri · ‎04-21-2025

Hi All ,

We have SNS-3755-K9 in the production network.After installing it we have noticed that live logs of TACACS are not showing on the web portal.

what is the best way to re-image the ISE ? As per Cisco TAC re-iamge should be done to fix the issue.I have followed below steps but hen ISE was rebooting it was loading existing configuration and not asking for ip address etc as we are not getting option for setup.

Cisco Identity Services Engine Installation Guide, Release 3.1 - Install Cisco ISE [Cisco Identity Services Engine] - Cisco

any help would be highly appreciated .

Step 1

If you are installing Cisco ISE on a:

Cisco SNS appliance: Install the hardware appliance. Connect to CIMC for server management.
Virtual Machine: Ensure that your VM is configured correct.

Step 2

Download the Cisco ISE ISO image.

Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.
Click Download Software for this Product.

The Cisco ISE image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.

Step 3

Boot the appliance or the virtual machine.

Cisco SNS appliance:

Connect to CIMC and log in using the CIMC credentials.
Launch the KVM console.
Choose Virtual Media > Activate Virtual Devices.
Choose Virtual Media > Map CD/DVD and select the ISE ISO image and click Map Device.
Choose Macros > Static Macros > Ctrl-Alt-Del to boot the appliance with the ISE ISO image.

Press F6 to bring up the boot menu. A screen similar to the following one appears:

Figure 1. Selection of Boot Device

Note

If the SNS appliances are placed in a remote location (for example, data centers), to which you do not have any physical access and need to perform CIMC install from remote servers, it might take long hours for installation. We recommend that you copy the ISO file on a USB drive and use that in the remote location to speed up the installation process.
Cisco ISE installation using CIMC may be affected by network speed, network stability, TCP segmentation, or other factors of the operating system. This may impact the speed and the time taken (approximately 30 minutes) for Cisco ISE installation.

Marcelo Morais · ‎05-02-2025

Hi @mothukuri ,

in the link provided (ISE - Localized Installation) take a look at the How does it work ? ... you need to copy the ISO to the ISE Node disk:

you can not only use your preferred SFTP, but also the following URL options:

ise/admin(config-repository-<name>)# url ?
 Possible completions:
 cdrom: Local CD-ROM drive (read only)
 disk: Local hard disk storage
 ftp: URL using a FTP server
 http: URL using a HTTP server (read only)
 https: URL using a HTTPS server (read only)
 nfs: URL using a NFS server
 sftp: URL using a SFTP server
 tftp: URL using a TFTP server
 <cr>

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎05-20-2025

Hi @mothukuri ,

1st download the ISE 3.3 P4 from ISE Software Download.

2nd copy the ISE 3.3 P4 to the ISE Disk:

ise/admin# copy ftp://<FTP-Server-IP-Addr>/ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz disk:/

3rd create a Repository (disk:/):

ise/admin# configure terminal
ise/admin(config)# repository LOCAL
ise/admin(config-repository-LOCAL)# url disk:/

4th install the Patch:

ise/admin# patch install ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz LOCAL

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎05-30-2025

Hi @mothukuri

yes, the link is Cisco ISE 3.4 Port Reference, and you should check the Cisco ISE All Persona Nodes Ports topic for Node communication.

Also take a look at Cisco ISE 3.0 Installation Guide, special attention to Cisco ISE 3.0 Node Communications:

Hope this helps !!!

View solution in original post

ahollifield · ‎04-22-2025

What is CISM?

Dustin Anderson · ‎04-22-2025

If you have access to the server it is recommended to make a bootable drive. Reloading through the CIMC is slow. When I tried it once it was estimated to take ~10 hours where a USB drive is under an hour.

Here is to make a bootable USB, you do have to edit some files.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_4.html

davidgfriedman · ‎04-22-2025

I read you showed ISE 3.1 documentation, but I wanted you to know that once you've upgraded to ISE 3.2 patch 5 or higher, assuming you can still login to the system, you can scp the ISO file to the ISE local disk and reinstall / rebuild directly from the CLI, no remote mounting and no USB required. We have needed this a few times to rebuild troubled physical appliances / nodes.

> For this reason, ISE 3.2 Patch 5 introduces a new feature that allows the user to reinstall ISE using the command line, saving around 40 minutes. The feature is Localized ISE installation. On command line run the command application configure ise which displays this new option: [36] Localised ISE Install.

Regards,
David

mothukuri · ‎04-22-2025

Hi David ,

Thank you for the detailed explanation.

We have below patch and ISE version running on the ISE box.

Cisco Identity Services Engine
---------------------------------------------
Version : 3.3.0.430
Build Date : XXXXXXXX
Install Date : XXXXXXXX

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4
Install Date : XXXXXXX

I have gone through below info provided by you via url

(https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_3.html)

For this reason, ISE 3.2 Patch 5 introduces a new feature that allows the user to reinstall ISE using the command line, saving around 40 minutes. The feature is Localized ISE installation. On command line run the command application configure ise which displays this new option: [36] Localised ISE Install.

I have few questions . Do i need to install patch 5 before OS installation via command application configure ISE .

Could you please provide me steps or url which can be referred while performing OS install via CLI.

Marcelo Morais · ‎04-22-2025

Hi @mothukuri ,

please take a look at: ISE - Localized Installation.

Hope this helps !!!

mothukuri · ‎05-01-2025

Thak you Marcelo.

I have to load image onto ISE using sftp.

which SFTP software can be used ? i can install SFTP server on the windows server located at data center 1 and ISE is present in data center 2 .SFTP is allowed on respective firewalls from windows VM to ISE.

Many thanks for your help.

Marcelo Morais · ‎05-02-2025

Hi @mothukuri ,

in the link provided (ISE - Localized Installation) take a look at the How does it work ? ... you need to copy the ISO to the ISE Node disk:

you can not only use your preferred SFTP, but also the following URL options:

ise/admin(config-repository-<name>)# url ?
 Possible completions:
 cdrom: Local CD-ROM drive (read only)
 disk: Local hard disk storage
 ftp: URL using a FTP server
 http: URL using a HTTP server (read only)
 https: URL using a HTTPS server (read only)
 nfs: URL using a NFS server
 sftp: URL using a SFTP server
 tftp: URL using a TFTP server
 <cr>

Hope this helps !!!

Scott Fella · ‎05-02-2025

@mothukuri have you tried to run the application reset-config or was that already performed and TAC now wants you to re-image using the ISO?

-Scott
*** Please rate helpful posts ***

mothukuri · ‎05-03-2025

Hi Scott ,

I did not do application reset-config .i was trying to load ISO image into disk using sftp server.

Anybody tried to load ISO from sftp server rmotely.

Marcelo Morais · ‎05-03-2025

Hi @mothukuri ,

remember that ... when you use Localized Installation, you copy the ISO via SFTP to the ISE Node Disk, and then you run the Localized Installation which uses the ISO on the ISE Node Disk to install ISE from scratch.

Have you tried this ?

Hope this helps !!!

mothukuri · ‎05-19-2025

Hi Marcelo ,

Solar winds SFTP server is present on a VM ie 10.48.38.6 of Location A data Center and iSE is present at Location B data center.I have followed below steps.

1. Log in to ISE command line.

2. Run the next commands:

#configure terminal
Entering configuration mode terminal
#repository iso
#url sftp://10.48.38.6/TFTP-Root ( Image is kept in c:/TFTP-root folder and I have choosen path in solar winds SFTP server)
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes.
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
#user cisco password plain cisco
#exit
#exit
#crypto host_key add host 10.48.38.6

admin#copy repository iso file Cisco-ISE-3.3.0.430.SPA.x86_64.iso disk://
The file or directory you want to copy is not available in your local system.
To create a directory now, use the mkdir command.
Transfer failed.

I am getting above error .What can be done now ?any help would be highly appreciated .

mothukuri · ‎05-19-2025

copied ISO file onto ISE sucessfully.Re-imaging will be done tomorrow .any precautions needs to be taken care before re-imaging with Same ISO image.

This command worked after copying ISO file into C drove directly instead of placing it in a folder under C drive of windows machine.

url sftp://10.48.38.6/

I am going to follow step 4 onwards , mentioned on the below url to reimage ISE box as we are not seeing live logs of TACACS .Any advice /suggestion would be highly appreciated.

Configure Localized ISE Installation - Cisco

How to install patch 4 after re-image of the ISE ?

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4

Many Thanks ,

M S K

Marcelo Morais · ‎05-20-2025

Hi @mothukuri ,

1st download the ISE 3.3 P4 from ISE Software Download.

2nd copy the ISE 3.3 P4 to the ISE Disk:

ise/admin# copy ftp://<FTP-Server-IP-Addr>/ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz disk:/

3rd create a Repository (disk:/):

ise/admin# configure terminal
ise/admin(config)# repository LOCAL
ise/admin(config-repository-LOCAL)# url disk:/

4th install the Patch:

ise/admin# patch install ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz LOCAL

Hope this helps !!!

mothukuri · ‎05-20-2025

Hi Marcelo ,

Main problem I had was incorrect path given after the url : ise/admin(config-repository-LOCAL)# url disk:/ .I have tried to load ISO file onto ISE by pacing ISO file in one of the folder under the C drive.I have struggled a lot to give exact path after the url. Later i have copied the file into C drive then everything was done in matter of 2 hrs.

Simply i have copied ISO file into C drive and i was able to upload ISO fie onto ISE using Solarwinds SFTP server.

Re-image/Upgrade is very quick whenever we use Configure Localized ISE Installation - Cisco.

I am not sure why Cisco TAC has denied this process after having long conversation for one month. I have told Cisco TAC that Data center does not have much knowledge on converting USB stick as bootable USB stick. However Cisco TAC engineer has preferred loading ISO file using USB stick.

Many Thanks for your great help and support.