
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2018 08:27 AM
Hello Experts!
Is there a migration path for replacing an ISE instance from DNAC ?
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2019 09:27 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2018 02:36 PM
I believe you are correct about this current limitation. I would suggest you to discuss it with DNA-C PM teams for roadmaps.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2019 08:54 AM
What is with the approache of the backup and restore scenario which is anyway the recommended way to upgrade a ISE deployment?
I mean it shout be possible to replace the ISE in a Fabric because of a hardware vm failture or whatever.
Thanks
Matthias
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2020 11:03 PM
Hi @Matthias
It's been a while since you asked this question - did you receive any answers?
I am in the situation now where I have an ISE 2.4 integrated with DNAC 1.3 and I need to switch over to another ISE server (ISE 2.7).
It was a painful exercise to get these two things talking to each other. How did you proceed in the end?
regards
Arne

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2020 05:48 AM
Im still in contact with Tac/BU about that.
I tested a backup/restore upgrade in my DNA Lab. So, taking a backup of e.g. ISE 2.3 and restore it to a 2.4 is working well as long as the fqdn and ip are the same.
regards
Matthias
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2020 04:27 PM
Hi @Matthias
I had some success last night.
I created a place-holder AAA server in DNAC and assigned all existing config to point to that. That allowed me to delete the existing ISE entry in DNAC.
After some faffing around in my ISE 2.7 server which was a clean ISE 2.7 install, and then I restored my ISE 2.4 backup onto it, to simulate the scenario where I had to migrate/rebuild my ISE node. Because my config restore dumped a bunch of legacy config and certs, I had to do some work (enabling ERS, rebuilding the internal CA, issuing myself a pxGrid cert signed by the ISE CA) I was able to get pxGrid working. I then integrated DNAC with ISE - that was relatively smooth.
I did notice that many of my devices are shown as "not provisioned" in DNAC, or Credentials are not ok. But that is my next mission - to figure out how to re-provision all my existing Cat9K, 9800 controllers etc now that new ISE is integrated.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2020 02:20 AM
Hi Arne,
that sounds like you may figure out a good way to migrate the ISE in a DNAC.
Espacially the you first point (place-holder AAA) is very interessting. I tried this as well and it didnt work, I may have to try it again in my lab.
Which DNAC version do you running?
Can you check the db on maglev, because it would be interessting what settings are stored there?
Regards
Matthias

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2020 07:31 AM
Just a quick response on that topic.
In the meentime I replaces a ISE 2.3 in a productive SD-Access Network by installing a new ISE 2.4 and restore the backup from 2.3.
Switching to new ISE was no problem at all. Just disabled the old ISE VM Network and enabled the new one. No issues with DNAC intigration.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-09-2020 11:29 AM
How did you switch to the new ISE exactly? When you restores to the new ISE, did you do it with ADE-OS configuration? Thanks in advance.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2020 06:59 AM
Th short version is:
1. Backup current ISE
2. Install a new VM in Version 2.4 / .6 + patch
3. Restore Backup with ADE-OS
4. Change IP or setup a second interface to check config
5. Shut old ISE VM network interface
6. Enable new ISE VM network interface with the same IP like the old one.
7. Check all your services
8. Join a clean secondary node and sync it

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2020 07:37 AM
Thank you! This is very helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 12:44 AM
Hi!
Interesting. Are you saying that if you changed the network settings (endpoints) from ISE to AAA, saved the config you where able to remove the whole ISE integration in the DNA settings / Authentication servers section?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2019 09:27 AM
