top of page
Search

Cisco ISE maintenance in VM environment.How to backup or restore?!

Have you ever faced this banner?!

VMware snapshots are not supported way of backup

Yeah .. it’s a Cisco Bug!

The majority of business owners use their existing VMware environment (e.g.Turbonomic , vCenter , Veeam ONE etc.) in order to utilize Cisco ISE instead of buying physical hardware/ appliances (SNS-3xxx) servers. Actually,there are a couple of issues you need to be aware of when taking advantage of a VM environment.

Here are the two most common issues I’ve seen in the field:

The first common issue is enabling VMware snapshots in order to provide backup functionality for ISE nodes in a deployment.

Here is a kind advice for those who ask you:

Can I use snapshots to back up ISE?

The answer to that question is:

(A giant NO00000000!!!)

There is a tiny annotation in The Cisco ISE installation guide that I’m certain 99.999999 % of users have never read.

Here is the entry in its totality (thanks to copy paste magic):

Informing customers about this is one of my first steps before any installation and during consultancy. You will run into difficulties where the ISE node suddenly goes offline.

So you may ask yourself...

What is the work around for that?

You can use the built-in backup/restore functionality ISE !

Scenario of this ticket:

A distributed deployment with multiple admin nodes (PANs) already has redundancy because all admin nodes maintain the configuration for the deployment. The only possible reason I’ve found that you would need to do a restore is either

  • a) a naughty configuration was applied J and you need to roll back

  • b) in case you lose all PANs.

In either scenario it is easy to correct the config by utilizing an ISE backup or rebuilding an admin node and then restoring a backup.

The second issue is trying to modify, resize or change any settings of an ISE node. When you install the VM, the ISE installation determines what configuration (small, medium or large) you are using and writes that configuration to the underlying ADE-OS.

There are two scenarios that I see most often:

1. You installed using the 3515 OVA which has 6 cores. Your deployment grows and it’s determined you really need the 3595 sized appliance CPU and RAM because utilization is high. Your VM team says “Null problem! We’ll just gracefully shutdown the servers and tweak CPU and memory settings of ISE-VM in order to add more resources.” They proceed to do just that and everything comes back up but the performance doesn’t really improve.The reason is because even though ISE sees the extra resources it is not configured to actually use them.


2. Your Monitor node is running out of space because you set it up with 300GB of space. You ask the VM admin to increase the drive space. The VM admin does suddenly the server no longer boots. Why? Because you’ve changed the underlying configuration and ADE-OS doesn’t know how to handle the drive parameter change.

This is also true for customers that see drives are underutilized and think “I don’t need all that space so I’ll shrink the drive in order to use it for other servers.” so they shrink the drive. If you need to change the hardware configuration, the only and the best option is to delete the VM and reinstall it from the scratch with the new parameters. Backup the SSL certificates for that node, remove it from the deployment, create them again, add bring SSL certificates back in business, and then join it back into the deployment.



Useful links:

TRADEMARK LEGAL NOTICE

All product names, logos, and brands are property of their respective owners in the Austria or other countries.

All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.

Use of these names, logos, and brands does not imply endorsement.

The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other company. Pheniix runs as an independent blog.

#CISSP #VMWare #Snapshot #ISC2 #engineering #coding #programming #VPN #Security #pheniix_#MikeGhahremani#programmer #developer#Blockchain #Networking #Projectmanager #PM#Machinelearning #AI #سيسكو #ccie#شبکه #لینوکس #پایتون

#codin #CISCOISE #Cisco #CiscoNetworkingAcademy #CyberSecurity #Howtobackup #Backup #VMWare #snapshot

bottom of page