cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
53610
Views
16
Helpful
7
Replies

Best Practise for rebooting ISE Nodes?

Benjamin Lehner
Level 1
Level 1

Hello Community,

I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.

 

(Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)

 

I would shutdown ISE02, move it to our new VMWare environment and start it again.

Than I would do this with our ISE01 Node...

 

Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?

Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?

Any tasks after reboot?

 

Thank you for any answer!

 

ISE01    
Administration, Monitoring, Policy Service    
PRI(A), SEC(M)

ISE02    
Administration, Monitoring, Policy Service    
SEC(A), PRI(M)

 

 

2 Accepted Solutions

Accepted Solutions

Charlie Moreton
Cisco Employee
Cisco Employee

There is a lot to consider here.  If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things.  If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment.  Then spin-up a new Secondary node and register it on the Primary.  Once this is done, you can re-host the license from your old environment onto your new environment.  You can use this tool to re-host:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999

 

If IP Addressing is to remain the same, it gets simpler. 

First, and always, perform a configuration and operational backup.

If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes.  Transfer them to the New Environment and turn them on, Primary Node first, of course.

If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment.  Start the Secondary Node and when it is up, shut down the Primary Node.  Once services on the primary node have stopped, promote the Secondary Node to Primary Node.

Transfer the OLD Primary Node to the New Environment and turn it on.  It should assume the role of Secondary Node.  If it does not, assign that role through the GUI.

Remember, the correct way to shut down an ISE node is:

application stop ise

halt

By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

View solution in original post

 

How to promote the secondary to primary node? (Do you got an Link for me?)

Here is the link to show how to promote the node:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1128454

Can I do the movment without changeing the primary/secondary roles?

If you can schedule the move with expected downtime, then yes.

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

True, and that is the reason for having a Secondary Node, however, if there is an extended amount of time between moving the Primary Node, other anomalies may occur.

View solution in original post

7 Replies 7

Charlie Moreton
Cisco Employee
Cisco Employee

There is a lot to consider here.  If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things.  If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment.  Then spin-up a new Secondary node and register it on the Primary.  Once this is done, you can re-host the license from your old environment onto your new environment.  You can use this tool to re-host:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999

 

If IP Addressing is to remain the same, it gets simpler. 

First, and always, perform a configuration and operational backup.

If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes.  Transfer them to the New Environment and turn them on, Primary Node first, of course.

If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment.  Start the Secondary Node and when it is up, shut down the Primary Node.  Once services on the primary node have stopped, promote the Secondary Node to Primary Node.

Transfer the OLD Primary Node to the New Environment and turn it on.  It should assume the role of Secondary Node.  If it does not, assign that role through the GUI.

Remember, the correct way to shut down an ISE node is:

application stop ise

halt

By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Hello Charles,

 

thanks for your reply. The network addresses dont changes.


So, just few further questions:

How to promote the secondary to primary node? (Do you got an Link for me?)

Can I do the movment without changeing the primary/secondary roles?

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

 

How to promote the secondary to primary node? (Do you got an Link for me?)

Here is the link to show how to promote the node:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1128454

Can I do the movment without changeing the primary/secondary roles?

If you can schedule the move with expected downtime, then yes.

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

True, and that is the reason for having a Secondary Node, however, if there is an extended amount of time between moving the Primary Node, other anomalies may occur.

Hello Charles,

 

thank you very much.

 

Kind regards

Benjamin

Happy to help.

Good luck with your ISE move.

 

Charles Moreton

Hello Charly,

one more further question about changing primary/secondary role:

My installation:

node01

- Admin, Policy

node02

- Monitoring, Policy

In your link I read:

"You can only promote a secondary Administration node to become a primary Administration node. Cisco ISE nodes that assume only the Policy Service or Monitoring persona, or both, cannot be promoted to a primary Administration node."

So it is not possible to promote this node to primary admin node?

--> I dont got an Option like " Promote to Primary ." in the edit page of my noedes... what dos this mean?

 

Add the secondary Admin Node persona to the Secondary Node before moving the VM

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: