Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2638
Views
5
Helpful
7
Replies

ISE 3.1 re-IP process

Go to solution
fareed.ahmad
Level 1
Level 1

‎04-06-2023 08:57 AM

We are running a distributed deployment with six ISE 3.1 VMs. i might need to re-IP the whole environment and have questions on the re-IPing process.

Is there a preferred order the nodes must be re-IPed in? meaning should the Primary admin node be re-IPed first and then the secondary admin node followed by the PSN? OR is it that the order doesnt matter? 

before the IP is changed is there a need to stop the ISE application via "Application Stop ISE"? 

to change the IP is it preferred to issue the "reset config" command via cli? OR on the interface in exe mode and change the IP via the "ip address new_IP_Address_subnet_mask" command 

lastly for the certificates, will new cert need to be generated again for each node? OR can you re-use the previous cert before you re-IPed? 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎04-06-2023 10:35 AM

hi @fareed.ahmad, the best approach I see with the situation you are facing is the following : 

1.- Deregister the node from the deployment . 

2.- Apply the command application reset-config ise in the node ( you can retain all the node configurations and ISE certificates in this process please review https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/cli_guide/b_ise_CLIReferenceGuide_27/b_ise_CLIReferenceGuide_27_chapter_01.html#wp1727183819 ) 

3.- Change the DNS entry corresponding this node in your DNS server so  it maches the newest IP-FQDN.

4.- Add the node back to the deployment by registering . 

You can of course change the ip of the ISE servers through CLI by going to the interface Gigabitethernet 0 and changing the IP to the one desired, however as you are mentioning in your description that you will change the whole ISE environment the approach given above is better to avoid synchronization problems that may occur. 

The order you can follow to reconfigure the IP is: SAN , SMNT(If applicable), PSN nodes, PMNT (If applicable) and lastly the PAN node. 

Related to the certificates , it will depend on what kind of certificate you are using and also if in the fields of the certificate  such as the SAN field , you have entries linked to these IP you mention you are going to change (in this case  you might have to generate a new CSR) , however if you have only entries in the certificates linked to FQDN of the ISE, I don't see a major problem with the certificates. 

Rate and comment if that helps you. 

View solution in original post

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee
In response to fareed.ahmad

‎04-06-2023 11:10 AM

As you are going to deregister the node on the step 1 from the deployment, you need to turn that node into one standalone so you can rejoin it later to the deployment, the command that you mention reset-config, will not work for this purpose as the node will be still with the role you had it without changing it to one standalone node, with the steps proposed above you will ensure that this node will pull all the synchronization required from the PAN node. 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎04-06-2023 10:19 AM

The best way is to de-register all nodes from PAN. Change the IP address on each node using command "ip address new_IP_Address_subnet_mask", update the nslookup entries on the DNS server for each ISE server and then put the nodes back in deployment.

Steps to change the IP address is covered in ISE 3.1 admin guide : https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_6.html#change-ip-address

Post changing the IP address, your ISE will also get disconnected from AD, hence, you will need to perform the join operation.

If there is no change on the FQDN of any ISE servers or IP address of the server is not present in the certificate then existing certificates should work. Else, you will have to renew self-signed certificates and get the CSR signed by CA for 3rd party certificates.

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎04-06-2023 10:35 AM

hi @fareed.ahmad, the best approach I see with the situation you are facing is the following : 

1.- Deregister the node from the deployment . 

2.- Apply the command application reset-config ise in the node ( you can retain all the node configurations and ISE certificates in this process please review https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/cli_guide/b_ise_CLIReferenceGuide_27/b_ise_CLIReferenceGuide_27_chapter_01.html#wp1727183819 ) 

3.- Change the DNS entry corresponding this node in your DNS server so  it maches the newest IP-FQDN.

4.- Add the node back to the deployment by registering . 

You can of course change the ip of the ISE servers through CLI by going to the interface Gigabitethernet 0 and changing the IP to the one desired, however as you are mentioning in your description that you will change the whole ISE environment the approach given above is better to avoid synchronization problems that may occur. 

The order you can follow to reconfigure the IP is: SAN , SMNT(If applicable), PSN nodes, PMNT (If applicable) and lastly the PAN node. 

Related to the certificates , it will depend on what kind of certificate you are using and also if in the fields of the certificate  such as the SAN field , you have entries linked to these IP you mention you are going to change (in this case  you might have to generate a new CSR) , however if you have only entries in the certificates linked to FQDN of the ISE, I don't see a major problem with the certificates. 

Rate and comment if that helps you. 

Go to solution
fareed.ahmad
Level 1
Level 1
In response to Rodrigo Diaz

‎04-06-2023 10:50 AM

thank you for the detailed feedback. this really helps a lot. i do have a quick question on step #2:

- you said "application reset-config ise" from what i understand this command will wipe away the ISE config and the database. there is another command "reset config" - this command is to easily readdress/rename an ISE node without having to reinstall, or reconfigure all of the ISE policy. wouldnt it be much more easier to just use the reset config command instead of wiping away database info and starting from scratch? 

 

0 Helpful

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee
In response to fareed.ahmad

‎04-06-2023 11:10 AM

As you are going to deregister the node on the step 1 from the deployment, you need to turn that node into one standalone so you can rejoin it later to the deployment, the command that you mention reset-config, will not work for this purpose as the node will be still with the role you had it without changing it to one standalone node, with the steps proposed above you will ensure that this node will pull all the synchronization required from the PAN node. 

0 Helpful

Go to solution
edeloscobos
Level 1
Level 1
In response to Rodrigo Diaz

‎01-30-2024 11:39 AM

Hi Rodrigo,

In case of you have only 1 node in Standalone, and requires to change the IP address, without any dependency on certificates, is it feasible to only change the configuration directly on the interface on CLI?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to edeloscobos

‎01-30-2024 01:32 PM

Yes, you can change the IP address of a Standalone node. The change will require a restart of the ISE services as stated in the Admin Guide.

Go to solution
edeloscobos
Level 1
Level 1
In response to Greg Gibbs

‎01-30-2024 02:21 PM

Thank you for your quick response Greg.

0 Helpful
Customers Also Viewed These Support Documents