Solved: ISE support for Cloning/Snapshot

Vinicius Golin · ‎04-18-2018

Hi Team,

Could you kindly confirm whether we support VM Cloning (Snapshot) for ISE nodes including MNT/ADM?

From the 2.4 Installation Guide I understood it is feasible however it is only for PSNs. Not sure if that also applies for MnT and ADM. Could you kindly confirm?

from installation guide: 

You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually. 

Also, what is exactly meant for:

For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program. 

Does it mean previous ISE Installation Setup? 

Thanks! 

Jason Kunst · ‎04-18-2018

It means we only support cloning for systems that don’t yet have a configuration on them, for example at setup prompt

We don’t support cloning or vmotion

Best approach is to use high availability and configuration backups

For roadmap reach out to product management team

Could you kindly confirm whether we support VM Cloning (Snapshot) for ISE nodes including MNT/ADM?

From the 2.4 Installation Guide I understood it is feasible however it is only for PSNs. Not sure if that also applies for MnT and ADM. Could you kindly confirm?

from installation guide: 

You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually. 

Also, what is exactly meant for:

For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program. 

Does it mean previous ISE Installation Setup? 

Thanks! 

Reply to this message by replying to this email, or go to the message on Cisco Communities<https://communities.cisco.com/message/288168#288168>

Start a new discussion in Technology > Security > Policy and Access > Identity Services Engine (ISE) by email<mailto:discussions-community-technology-security-pa-ise@cisco-marketing.hosted.jivesoftware.com> or at Cisco Communities<https://communities.cisco.com/choose-container.jspa?contentType=1&containerType=14&container=5301>

Following Technology > Security > Policy and Access > Identity Services Engine (ISE)<https://communities.cisco.com/community/technology/security/pa/ise> in these streams: Inbox

View solution in original post

paul · ‎04-18-2018

Once you have ISE to the point where is says Enter "setup" to login, you can clone the VM and create other ISE VMs. It shouldn't matter what the ISE persona is. At that point you haven't even configured the ISE application at all.

Once ISE is up and running you should never do a snapshot on a running ISE node. You risk of breaking the ISE services. The only time you should snapshot is when the system is powered off.

From the 2.4 guide:

"Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. Cisco recommends that you use the backup functionality included in Cisco ISE for archival and restoration of data.

Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node."

Jason Kunst · ‎04-18-2018

It means we only support cloning for systems that don’t yet have a configuration on them, for example at setup prompt

We don’t support cloning or vmotion

Best approach is to use high availability and configuration backups

For roadmap reach out to product management team

Could you kindly confirm whether we support VM Cloning (Snapshot) for ISE nodes including MNT/ADM?

From the 2.4 Installation Guide I understood it is feasible however it is only for PSNs. Not sure if that also applies for MnT and ADM. Could you kindly confirm?

from installation guide: 

You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually. 

Also, what is exactly meant for:

For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program. 

Does it mean previous ISE Installation Setup? 

Thanks! 

Reply to this message by replying to this email, or go to the message on Cisco Communities<https://communities.cisco.com/message/288168#288168>

Start a new discussion in Technology > Security > Policy and Access > Identity Services Engine (ISE) by email<mailto:discussions-community-technology-security-pa-ise@cisco-marketing.hosted.jivesoftware.com> or at Cisco Communities<https://communities.cisco.com/choose-container.jspa?contentType=1&containerType=14&container=5301>

Following Technology > Security > Policy and Access > Identity Services Engine (ISE)<https://communities.cisco.com/community/technology/security/pa/ise> in these streams: Inbox

syehyder · ‎11-19-2019

Hi

Can you please let me know if NetApp snapshot break ISE 2.4 database and Sync process?

VMWare snapshot takes time and delay would break ISE database but NetApp snapshot is almost instant, would this also break ISE?

Regards,

Syed Hyder

Jason Kunst · ‎11-21-2019

any backup service is not supported running in the background. no offical testing or guidance