What is with the approache of the backup and restore scenario which is anyway the recommended way to upgrade a ISE deployment?

I mean it shout be possible to replace the ISE in a Fabric because of a hardware vm failture or whatever.

Thanks

Matthias

Hi @Matthias 

It's been a while since you asked this question - did you receive any answers?

I am in the situation now where I have an ISE 2.4 integrated with DNAC 1.3 and I need to switch over to another ISE server (ISE 2.7).

It was a painful exercise to get these two things talking to each other.  How did you proceed in the end?

regards

Arne

Hi @Matthias 

I had some success last night.

I created a place-holder AAA server in DNAC and assigned all existing config to point to that. That allowed me to delete the existing ISE entry in DNAC.

After some faffing around in my ISE 2.7 server which was a clean ISE 2.7 install, and then I restored my ISE 2.4 backup onto it, to simulate the scenario where I had to migrate/rebuild my ISE node.  Because my config restore dumped a bunch of legacy config and certs, I had to do some work (enabling ERS, rebuilding the internal CA, issuing myself a pxGrid cert signed by the ISE CA) I was able to get pxGrid working.  I then integrated DNAC with ISE - that was relatively smooth.

I did notice that many of my devices are shown as "not provisioned" in DNAC, or Credentials are not ok. But that is my next mission - to figure out how to re-provision all my existing Cat9K, 9800 controllers etc now that new ISE is integrated. 

Hi Arne,

that sounds like you may figure out a good way to migrate the ISE in a DNAC.

Espacially the you first point (place-holder AAA) is very interessting. I tried this as well and it didnt work, I may have to try it again in my lab.

Which DNAC version do you running?

Can you check the db on maglev, because it would be interessting what settings are stored there?

Regards

Matthias

Just a quick response on that topic.

In the meentime I replaces a ISE 2.3 in a productive SD-Access Network by installing a new ISE 2.4 and restore the backup from 2.3.

Switching to new ISE was no problem at all. Just disabled the old ISE VM Network and enabled the new one. No issues with DNAC intigration.

How did you switch to the new ISE exactly? When you restores to the new ISE, did you do it with ADE-OS configuration? Thanks in advance. 

Th short version is:

1. Backup current ISE

2. Install a new VM in Version 2.4 / .6 + patch

3. Restore Backup with ADE-OS

4. Change IP or setup a second interface to check config

5. Shut old ISE VM network interface

6. Enable new ISE VM network interface with the same IP like the old one.

7. Check all your services

8. Join a clean secondary node and sync it

Thank you! This is very helpful. 

Hi!

Interesting. Are you saying that if you changed the network settings (endpoints) from ISE to AAA, saved the config you where able to remove the whole ISE integration in the DNA settings / Authentication servers section?