You are currently viewing Why Snapshots Could Break Your Virtual ISE Deployment

Why Snapshots Could Break Your Virtual ISE Deployment

This article discusses the reasons why snapshots are not supported on Cisco ISE virtual machines as well as the problems that are caused when snapshots are taken.

What is a Snapshot?

A snapshot is a copy of a virtual machines disk file (.VMDK) at a particular point in time. VMware allows you to take manual snapshots of a virtual machine or even automatically take snapshots of devices at a specific time. Snapshots are useful in situations where an operational device is rendered useless for whatever reason and you would like to restore that device back to a working state.

Why doesn’t Cisco ISE Support Snapshots?

Cisco ISE comes with its own backup and restore utilities and not only that, Cisco ISE doesn’t support backups because the data processed by the nodes is constantly changing and is actively being synchronised with the database.


Warning

If snapshots are taken of ISE nodes while powered on, the nodes will freeze and cause services to stop. To resume services, a reboot of the affected ISE node will be required.
 
Snapshots can seriously affect the deployment to a point where the ISE database becomes corrupted. If that happens then the affect node/s will require a complete new installation. I’ve also seen instances whereby a snapshot has been taken of a node while powered on and although it hasn’t immediately rendered the node unusable, the node doesn’t function as it should (even with an application reset).

I don’t have access to the VMware environment so how would I know if snapshots are affecting my ISE deployment?

If the VMware infrastructure is managed by a third party, more often than not you may not have access to the back-end environment. When trying to troubleshoot issues with virtual ISE instances, this can sometimes prove challenging, especially if you need to see whether snapshots are the root cause of issues within your ISE deployment. Nevertheless, we can often diagnose the issue from ISE. So if you find that you are troubleshooting a potential snapshot issue, take a look at the following points that have been observed on virtual ISE deployments when snapshots are enabled.

  • ISE node/s are still reachable via ping however you cannot login via SSH
  • AAA requests to ISE PSNs are failing
  • When I try to access the GUI of the potentially affected ISE node/s, it times out
  • I can access the primary PAN but some of the nodes are shown as offline when I check the deployment status

How can I maintain backups ensuring snapshots don’t affect my ISE deployment?

  • Ensure automatic snapshots are disabled
  • Ensure that the relevant teams know that automatic snapshots should be disabled
  • Ensure that the relevant teams are aware that manual snapshots shouldn’t be taken when the devices are powered on. Snapshots can be taken when the device is powered off but the preferred method is to use the backup capabilities within ISE
  • Configure scheduled backups within ISE

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply