This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Is there a migration path for replacing an ISE instance from DNAC ?
Solved! Go to Solution.
What is with the approache of the backup and restore scenario which is anyway the recommended way to upgrade a ISE deployment?
I mean it shout be possible to replace the ISE in a Fabric because of a hardware vm failture or whatever.
It's been a while since you asked this question - did you receive any answers?
I am in the situation now where I have an ISE 2.4 integrated with DNAC 1.3 and I need to switch over to another ISE server (ISE 2.7).
It was a painful exercise to get these two things talking to each other. How did you proceed in the end?
I had some success last night.
I created a place-holder AAA server in DNAC and assigned all existing config to point to that. That allowed me to delete the existing ISE entry in DNAC.
After some faffing around in my ISE 2.7 server which was a clean ISE 2.7 install, and then I restored my ISE 2.4 backup onto it, to simulate the scenario where I had to migrate/rebuild my ISE node. Because my config restore dumped a bunch of legacy config and certs, I had to do some work (enabling ERS, rebuilding the internal CA, issuing myself a pxGrid cert signed by the ISE CA) I was able to get pxGrid working. I then integrated DNAC with ISE - that was relatively smooth.
I did notice that many of my devices are shown as "not provisioned" in DNAC, or Credentials are not ok. But that is my next mission - to figure out how to re-provision all my existing Cat9K, 9800 controllers etc now that new ISE is integrated.
that sounds like you may figure out a good way to migrate the ISE in a DNAC.
Espacially the you first point (place-holder AAA) is very interessting. I tried this as well and it didnt work, I may have to try it again in my lab.
Which DNAC version do you running?
Can you check the db on maglev, because it would be interessting what settings are stored there?
Just a quick response on that topic.
In the meentime I replaces a ISE 2.3 in a productive SD-Access Network by installing a new ISE 2.4 and restore the backup from 2.3.
Switching to new ISE was no problem at all. Just disabled the old ISE VM Network and enabled the new one. No issues with DNAC intigration.
Th short version is:
1. Backup current ISE
2. Install a new VM in Version 2.4 / .6 + patch
3. Restore Backup with ADE-OS
4. Change IP or setup a second interface to check config
5. Shut old ISE VM network interface
6. Enable new ISE VM network interface with the same IP like the old one.
7. Check all your services
8. Join a clean secondary node and sync it