Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE - Loss of All Nodes in a Distributed Deployment, Recovery Using New IP Addresses and Hostnames

Hi Experts,

 

I have a question regarding ISE disaster recovery with same hostname and IP. For step 2, is it a must to generate a self signed cert? is it possible to use back to original N1 CA- signed certificate?

 

 

 

esolution Steps

1. Obtain the N1 backup and restore it on N1A. See "Restoring Data from a Backup" section for more information. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.

2. You must generate a new self-signed certificate. See "Generating a Self-Signed Certificate" section for more information.

3. You must log in to the Cisco ISE user interface on N1A, choose Administration > System > Deployment, and do the following:

a. Delete the old N2 node. See "Removing a Node from Deployment" section for more information.

b. Register the new N2A node as a secondary node. See "Registering and Configuring a Secondary Node" section for more information. Data from the N1A node will be replicated to the N2A node.

 

 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_backup.html

2 REPLIES
Cisco Employee

Hi,The reason for asking to

Hi,

The reason for asking to create a self signed cert is , the subject name of the certificate should match  ISE node FQDN. If you import the N1 node CA- signed certificate, that certificate will have the hostname of N1 node as its subject name and it will not work.

So you have to create a self signed certificate or get a new CA signed certificate with subject name as N1A node FQDN.

Hope this clarifies the reason of self signed certificate.

Cisco Employee

As long as:- The newly built

As long as:

- The newly built node has the same FQDN

- You have the original signed certificate and private key

- Root's and subordinate's (If any) CA certificates

Then you should be able to just re-import the cert.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
124
Views
0
Helpful
2
Replies
CreatePlease to create content