Introduction
Server administrators think security engineers are craaazy when being told they are absolutely not allowed to take VMware Snapshots of virtual machines running Cisco’s Identity Services Engine while they are up and running. Snapshot management is one of the key advantages of using virtual server environments in the first place so it is odd to run into a system or product that is very bad at handling it. Since ISE version 2.1, Cisco has made it clear that taking snapshots of running ISE-nodes will cause it to crash, followed by a shutdown, and in even worse cases you might have to rebuild the node from scratch if you are unlucky.
According to Cisco, the only proper way to take backups of an ISE deployment is to use the backup function built into ISE which will create a big backup file that needs to be transferred to an external FTP or SFTP server for long-term storage. This backup file can then be used for disaster recovery should your ISE deployment completely fail, as in all nodes are so badly damaged there is no way to get any of them up and running again.
Convincing your server administrators that you do not need their scheduled (probably nightly) snapshots taking place on those precious ISE nodes shouldn’t be too hard after they’ve managed to kill them all off once, but before that happens one suggestion you can put forward is make them configure the virtual ISE machines with a special setting to prevents snapshot accidents from happening. The following guide is going to show how you can completely deny snapshots taking place on a virtual server in a VMware environment. Repeat the steps for all your ISE nodes and you should be good to go.
Disabling snapshots of a virtual ISE server in VMware
The first step is actually the “toughest”, which is to shut down the virtual ISE machine. Consider the impact before you do this, obviously.
Log on the ISE nodes using either the VMware console (preferably) or SSH and issue the commands below. The first command will stop the ISE Application Server and the second command will turn off the node (power off):
ise-psn01# application stop iseise-psn01# haltThe virtual ISE machine should now be turned off completely and it is now safe to make changes to it.
Navigate to the virtual ISE machine in your VMware inventory and do right-click > Edit Settings…
Go to the Options tab and click on Advanced > General.
Select Configuration Parameters… on the right side.
In this window, we can make advanced changes to the virtual machine itself. Sort the parameters by name and see if you can find one with the name “snapshot.maxSnapshots”. If you cannot find it you can add it yourself by clicking the Add Row button.
Enter “snapshot.maxSnapshots” as the Name and simply set the Value to “0” as on the image below.
Click OK twice to get out of the settings and power on your virtual ISE machine again. You can now try to take a snapshot by right-clicking on the virtual ISE machine and selecting Snapshots > Take Snapshot. You’ll be asked to give the snapshot a name but that doesn’t matter because as soon as you continue you will be met with the error message below in the Recent Tasks window, usually positioned at the bottom of the VMware client, indicating that the snapshot couldn’t be completed.
And voilá! Our ISE nodes live to see another day of performing secure network access authentication. It’s a very simple setting that could save you from a very, very stressful workday.