Solved: Re: ISE reimage using CISM - Page 2

mothukuri · ‎04-21-2025

Hi All ,

We have SNS-3755-K9 in the production network.After installing it we have noticed that live logs of TACACS are not showing on the web portal.

what is the best way to re-image the ISE ? As per Cisco TAC re-iamge should be done to fix the issue.I have followed below steps but hen ISE was rebooting it was loading existing configuration and not asking for ip address etc as we are not getting option for setup.

Cisco Identity Services Engine Installation Guide, Release 3.1 - Install Cisco ISE [Cisco Identity Services Engine] - Cisco

any help would be highly appreciated .

Step 1

If you are installing Cisco ISE on a:

Cisco SNS appliance: Install the hardware appliance. Connect to CIMC for server management.
Virtual Machine: Ensure that your VM is configured correct.

Step 2

Download the Cisco ISE ISO image.

Go to http://www.cisco.com/go/ise. You must already have valid Cisco.com login credentials to access this link.
Click Download Software for this Product.

The Cisco ISE image comes with a 90-day evaluation license already installed, so you can begin testing all Cisco ISE services when the installation and initial configuration is complete.

Step 3

Boot the appliance or the virtual machine.

Cisco SNS appliance:

Connect to CIMC and log in using the CIMC credentials.
Launch the KVM console.
Choose Virtual Media > Activate Virtual Devices.
Choose Virtual Media > Map CD/DVD and select the ISE ISO image and click Map Device.
Choose Macros > Static Macros > Ctrl-Alt-Del to boot the appliance with the ISE ISO image.

Press F6 to bring up the boot menu. A screen similar to the following one appears:

Figure 1. Selection of Boot Device

Note

If the SNS appliances are placed in a remote location (for example, data centers), to which you do not have any physical access and need to perform CIMC install from remote servers, it might take long hours for installation. We recommend that you copy the ISO file on a USB drive and use that in the remote location to speed up the installation process.
Cisco ISE installation using CIMC may be affected by network speed, network stability, TCP segmentation, or other factors of the operating system. This may impact the speed and the time taken (approximately 30 minutes) for Cisco ISE installation.

Marcelo Morais · ‎05-21-2025

Hi @mothukuri ,

excellent news ... very happy to have been of help !!!

Note: if you are interested in other Cisco ISE Use Cases, please take a look at: ISE Deployment and Operation: Lessons from Large, Complex Environment.

Best regards.

mothukuri · ‎05-30-2025

Hi Marcelo ,

We have ISE-1 acting as a standalone at Data center A and ISE-2 acting as a standalone at Data center B.

We have Palo alto Firewalls before the ISE at Data Center A & B.We are planning to configure them as primary and secondary nodes.I have imported ISE-2 certificate onto ISE-1.

To register ISE-2 in ISE-1 as a secondary what are ports needs to be opened on the respective FW's?

From the attached document we could see below ports. Do we need any other port/ports to be opened on the Palo alto Firewall.

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0
• HTTPS (SOAP): TCP/443 —
• Data Synchronization/ Replication
(JGroups): TCP/12001 (Global)
• ISE Messaging Service: SSL:
TCP/8671
• ISE internal communication:
TCP/15672
• Profiler Endpoint Ownership
Synchronization/ Replication:
TCP/6379

Many Thanks

M S K

Marcelo Morais · ‎05-30-2025

Hi @mothukuri

yes, the link is Cisco ISE 3.4 Port Reference, and you should check the Cisco ISE All Persona Nodes Ports topic for Node communication.

Also take a look at Cisco ISE 3.0 Installation Guide, special attention to Cisco ISE 3.0 Node Communications:

Hope this helps !!!