Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best Practise for rebooting ISE Nodes?

Hello Community,

I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.

 

(Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)

 

I would shutdown ISE02, move it to our new VMWare environment and start it again.

Than I would do this with our ISE01 Node...

 

Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?

Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?

Any tasks after reboot?

 

Thank you for any answer!

 

ISE01    
Administration, Monitoring, Policy Service    
PRI(A), SEC(M)

ISE02    
Administration, Monitoring, Policy Service    
SEC(A), PRI(M)

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

There is a lot to consider

There is a lot to consider here.  If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things.  If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment.  Then spin-up a new Secondary node and register it on the Primary.  Once this is done, you can re-host the license from your old environment onto your new environment.  You can use this tool to re-host:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999

 

If IP Addressing is to remain the same, it gets simpler. 

First, and always, perform a configuration and operational backup.

If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes.  Transfer them to the New Environment and turn them on, Primary Node first, of course.

If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment.  Start the Secondary Node and when it is up, shut down the Primary Node.  Once services on the primary node have stopped, promote the Secondary Node to Primary Node.

Transfer the OLD Primary Node to the New Environment and turn it on.  It should assume the role of Secondary Node.  If it does not, assign that role through the GUI.

Remember, the correct way to shut down an ISE node is:

application stop ise

halt

By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Cisco Employee

 How to promote the secondary

 

How to promote the secondary to primary node? (Do you got an Link for me?)

Here is the link to show how to promote the node:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1128454

Can I do the movment without changeing the primary/secondary roles?

If you can schedule the move with expected downtime, then yes.

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

True, and that is the reason for having a Secondary Node, however, if there is an extended amount of time between moving the Primary Node, other anomalies may occur.

7 REPLIES
Cisco Employee

There is a lot to consider

There is a lot to consider here.  If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things.  If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment.  Then spin-up a new Secondary node and register it on the Primary.  Once this is done, you can re-host the license from your old environment onto your new environment.  You can use this tool to re-host:

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999

 

If IP Addressing is to remain the same, it gets simpler. 

First, and always, perform a configuration and operational backup.

If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes.  Transfer them to the New Environment and turn them on, Primary Node first, of course.

If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment.  Start the Secondary Node and when it is up, shut down the Primary Node.  Once services on the primary node have stopped, promote the Secondary Node to Primary Node.

Transfer the OLD Primary Node to the New Environment and turn it on.  It should assume the role of Secondary Node.  If it does not, assign that role through the GUI.

Remember, the correct way to shut down an ISE node is:

application stop ise

halt

By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

New Member

Hello Charles, thanks for

Hello Charles,

 

thanks for your reply. The network addresses dont changes.


So, just few further questions:

How to promote the secondary to primary node? (Do you got an Link for me?)

Can I do the movment without changeing the primary/secondary roles?

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

Cisco Employee

 How to promote the secondary

 

How to promote the secondary to primary node? (Do you got an Link for me?)

Here is the link to show how to promote the node:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_dis_deploy.html#pgfId-1128454

Can I do the movment without changeing the primary/secondary roles?

If you can schedule the move with expected downtime, then yes.

What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?

True, and that is the reason for having a Secondary Node, however, if there is an extended amount of time between moving the Primary Node, other anomalies may occur.

New Member

Hello Charles, thank you very

Hello Charles,

 

thank you very much.

 

Kind regards

Benjamin

Highlighted
Cisco Employee

Happy to help.Good luck with

Happy to help.

Good luck with your ISE move.

 

Charles Moreton

New Member

Hello Charly,one more further

Hello Charly,

one more further question about changing primary/secondary role:

My installation:

node01

- Admin, Policy

node02

- Monitoring, Policy

In your link I read:

"You can only promote a secondary Administration node to become a primary Administration node. Cisco ISE nodes that assume only the Policy Service or Monitoring persona, or both, cannot be promoted to a primary Administration node."

So it is not possible to promote this node to primary admin node?

--> I dont got an Option like " Promote to Primary ." in the edit page of my noedes... what dos this mean?

 

Cisco Employee

Add the secondary Admin Node

Add the secondary Admin Node persona to the Secondary Node before moving the VM

6225
Views
10
Helpful
7
Replies
CreatePlease login to create content