Came across an interesting issue today with Cisco ISE that I thought I would put out in a blog post. Anyone that has worked with ISE knows that if you change your timezone after initial configuration it’s like setting off an atomic bomb, the configuration is screwed. In my haste configuring my 7 nodes I managed to register a couple of my nodes as “Inline Posture Nodes” by accident which is another one of those big no-no’s. Now I’m not going to go into all the details about ISE Personas but just know that this was not what I intended to do. Simple fix right? Just go to your Deployment section and select the node and click “Deregister.” Well that is what I did and it didn’t work out all that well! When the ISE node rebooted it started throwing errors on the console about eth1 and not able to set routers, hrm? What happens is that when you put ISE into the Inline Posture Node, IPEP, the connections are either routed or bridged, think back to NAC days. What happens is that the node is not actually taken out of IPEP mode, some of the configuration is wiped but that is it, the node isn’t changed. When you log into your node and do a sh ip route you will see that your route table is empty. This is because the node is trying to setup items for the IPEP still and is expecting an eth1 interface that no longer exists.
So what is the solution? Pretty simple actually, but tricky to figure out. Now I know you could reset and be back up and running but I didn’t want to lose my certificates. So here is my solution to the issue:
Step 1 – Deregister from the web.
Step 2 – Log into your console and type pep switch outof-pep
Step 3 – After your node has rebooted log back in. Immediately after logging in ISE will inform you that it was previously an IPEP and must reset configuration. Go ahead and let it. But when it starts asking you for configuration information simply press ctrl+c to escape out of the configuration.
Step 4 – From the CLI now issue a application start ise which will start up your ISE engine and allow you to add it as the proper type, an ISE node.
RT @blakekrone: Defusing the ISE Minefield One By One… http://t.co/oIhRByoK
@blakekrone excellent didn’t know you were that into ISE.