Solved: Re: Replacing ISE instance on DNAC

Gaurav Sharma · ‎06-29-2018

Hello Experts!

Is there a migration path for replacing an ISE instance from DNAC ?

We would like to replace our 2.3 instance with 2.4

The issue is you cannot just remove the ISE server.

DNA will not let you because it is used in the fabric

The only way I can see changing it at this point is to completely remove the fabric, the design, etc, and start over

If there is a migration path on steps that need to be taken in order to replace the ISE instance, Can you please share with me ?

-Gaurav Sharma

Mike.Cifelli · ‎11-20-2019

Why is the desire to "replace" the ISE instance? Why not perform an upgrade bundle to get from 2.3->2.4. I have been running an SDA fabric in production for about 14 months and have performed several DNAC & ISE upgrades. Our DNAC cluster has gone from 1.1.x->1.2.x->1.3.1.3. The ISE cluster has moved from 2.3.x->2.4p9 without rebuild issues, etc. Note to pay attention to the compatibility matrix for the two components when performing upgrades.

View solution in original post

hslai · ‎06-29-2018

I believe you are correct about this current limitation. I would suggest you to discuss it with DNA-C PM teams for roadmaps.

Matthias · ‎11-20-2019

What is with the approache of the backup and restore scenario which is anyway the recommended way to upgrade a ISE deployment?

I mean it shout be possible to replace the ISE in a Fabric because of a hardware vm failture or whatever.

Thanks

Matthias

Arne Bier · ‎03-25-2020

Hi @Matthias

It's been a while since you asked this question - did you receive any answers?

I am in the situation now where I have an ISE 2.4 integrated with DNAC 1.3 and I need to switch over to another ISE server (ISE 2.7).

It was a painful exercise to get these two things talking to each other. How did you proceed in the end?

regards

Arne

Matthias · ‎04-02-2020

Hi Arne,

Im still in contact with Tac/BU about that.

I tested a backup/restore upgrade in my DNA Lab. So, taking a backup of e.g. ISE 2.3 and restore it to a 2.4 is working well as long as the fqdn and ip are the same.

regards
Matthias

Arne Bier · ‎04-02-2020

Hi @Matthias

I had some success last night.

I created a place-holder AAA server in DNAC and assigned all existing config to point to that. That allowed me to delete the existing ISE entry in DNAC.

After some faffing around in my ISE 2.7 server which was a clean ISE 2.7 install, and then I restored my ISE 2.4 backup onto it, to simulate the scenario where I had to migrate/rebuild my ISE node. Because my config restore dumped a bunch of legacy config and certs, I had to do some work (enabling ERS, rebuilding the internal CA, issuing myself a pxGrid cert signed by the ISE CA) I was able to get pxGrid working. I then integrated DNAC with ISE - that was relatively smooth.

I did notice that many of my devices are shown as "not provisioned" in DNAC, or Credentials are not ok. But that is my next mission - to figure out how to re-provision all my existing Cat9K, 9800 controllers etc now that new ISE is integrated.

Matthias · ‎04-03-2020

Hi Arne,

that sounds like you may figure out a good way to migrate the ISE in a DNAC.

Espacially the you first point (place-holder AAA) is very interessting. I tried this as well and it didnt work, I may have to try it again in my lab.

Which DNAC version do you running?

Can you check the db on maglev, because it would be interessting what settings are stored there?

Regards

Matthias

Matthias · ‎08-08-2020

Just a quick response on that topic.

In the meentime I replaces a ISE 2.3 in a productive SD-Access Network by installing a new ISE 2.4 and restore the backup from 2.3.

Switching to new ISE was no problem at all. Just disabled the old ISE VM Network and enabled the new one. No issues with DNAC intigration.

Ping Zhou · ‎08-09-2020

How did you switch to the new ISE exactly? When you restores to the new ISE, did you do it with ADE-OS configuration? Thanks in advance.

Matthias · ‎09-04-2020

Th short version is:

1. Backup current ISE

2. Install a new VM in Version 2.4 / .6 + patch

3. Restore Backup with ADE-OS

4. Change IP or setup a second interface to check config

5. Shut old ISE VM network interface

6. Enable new ISE VM network interface with the same IP like the old one.

7. Check all your services

8. Join a clean secondary node and sync it

Ping Zhou · ‎09-04-2020

Thank you! This is very helpful.

Cyptic man · ‎10-21-2022

Hi!

Interesting. Are you saying that if you changed the network settings (endpoints) from ISE to AAA, saved the config you where able to remove the whole ISE integration in the DNA settings / Authentication servers section?

Mike.Cifelli · ‎11-20-2019

Why is the desire to "replace" the ISE instance? Why not perform an upgrade bundle to get from 2.3->2.4. I have been running an SDA fabric in production for about 14 months and have performed several DNAC & ISE upgrades. Our DNAC cluster has gone from 1.1.x->1.2.x->1.3.1.3. The ISE cluster has moved from 2.3.x->2.4p9 without rebuild issues, etc. Note to pay attention to the compatibility matrix for the two components when performing upgrades.