Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
2
Replies

ISE - Loss of All Nodes in a Distributed Deployment, Recovery Using New IP Addresses and Hostnames

Tai Eric
Level 1
Level 1

‎05-14-2014 05:01 AM - edited ‎03-10-2019 09:43 PM

Hi Experts,

 

I have a question regarding ISE disaster recovery with same hostname and IP. For step 2, is it a must to generate a self signed cert? is it possible to use back to original N1 CA- signed certificate?

 

 

 

esolution Steps

1. Obtain the N1 backup and restore it on N1A. See "Restoring Data from a Backup" section for more information. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.

2. You must generate a new self-signed certificate. See "Generating a Self-Signed Certificate" section for more information.

3. You must log in to the Cisco ISE user interface on N1A, choose Administration > System > Deployment, and do the following:

a. Delete the old N2 node. See "Removing a Node from Deployment" section for more information.

b. Register the new N2A node as a secondary node. See "Registering and Configuring a Secondary Node" section for more information. Data from the N1A node will be replicated to the N2A node.

 

 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html

Labels:
0 Helpful
2 Replies 2

Naresh Ginjupalli
Cisco Employee
Cisco Employee

‎09-10-2014 10:46 AM

Hi,

The reason for asking to create a self signed cert is , the subject name of the certificate should match  ISE node FQDN. If you import the N1 node CA- signed certificate, that certificate will have the hostname of N1 node as its subject name and it will not work.

So you have to create a self signed certificate or get a new CA signed certificate with subject name as N1A node FQDN.

Hope this clarifies the reason of self signed certificate.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎09-11-2014 03:18 PM

As long as:

- The newly built node has the same FQDN

- You have the original signed certificate and private key

- Root's and subordinate's (If any) CA certificates

Then you should be able to just re-import the cert.

 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents