Extreme Networks

RobertD1 · ‎07-10-2024

Hello,

Original scenario is that a customer deployed XIQ-SE already and onboarded with Cloud IQ. The long unique serial number of XIQ-SE can be seen under NAC Entitlements under License Management. The GUI login page allowed login to XIQ-SE.

A new XIQ-SE instance has been installed with a different IP address and needs to connect to Cloud IQ. Will a second serial number appear under NAC Entitlements after the second XIQ-SE is onboarded? If all NAC licenses are activated against the first XIQ-SE how can they be moved to the new XIQ-SE?

Another key thing is that the database from the first XIQ-SE has been restored on the new XIQ-SE so is the long serial number the same ie part of the database or unique to each install?

The first time they login to the new XIQ-SE it should allow them to onboard it to Cloud IQ. I will check they see this and also it has access to the internet.

Edit: After changing some FW rules they can login but don't see the new XIQ-SE device in XIQ only the old one. So, two devices with the same serial number essentially. Should the old XIQ-SE be deleted from XIQ? How to force the onboarding from the new XIQ-SE? Is it a case of enabling the Extreme IQ engine connection from Administration>Option>ExtremeCloud IQ Connection>Configuration?

Rob

Zdeněk_Pala · ‎07-12-2024

Private keys can be re-used.

I guess you use FQDN in the certificates. The Certificate needs to be replaced if the FQDN is changed. In this case you will probably need new CSRs.

If the FQDN stays then you can change DNS to point the same FQDN to the new IP and in that case certificates can stay.

If you use IP in the certificate then you will need a new one.

Regards Zdeněk Pala

View solution in original post

Zdeněk_Pala · ‎07-11-2024

The S/N is part of the database backup.

if you restore DB in another instance of XIQ-SE then you cloned the XIQ-SE and you have two instances with the same S/N. the statistics in the cloud will be wrong and a lot of very strange situations will be seen. I suggest the following recovery steps:

1. shutdown & destroy one of those XIQ-SE instances

2. delete the XIQ-SE from the XIQ

3. onboard the XIQ-SE to the XIQ

--

regarding your NAC questions:

yes if you have two Site Engines then you will see two rows in the NAC entitlements table and you can define allocations to each of those instances.

Good Luck.

Regards Zdeněk Pala

RobertD1 · ‎07-11-2024

Thank you. Customer has deleted the old XIQ-SE from XIQ, the managed switches disappear (which is to be expected) and then auto onboarded the new XIQ-SE and can see the IP changed, the serial number remained the same because it is part of the database and the managed switches reappeared. Also, added two new Extreme Control engines and they automatically received licenses from the NAC Entitlements in XIQ and they were enforced and went green. So, only one XIQ-SE serial number seen and used.

Just one last question around certificates, can the private key and certificate be moved from the old Extreme Control engines and reused on the new ones or do they need to create a new private key / CSR? The DNS FQDN will need updating too because new IPs are used which will affect the Common Name.

Zdeněk_Pala · ‎07-12-2024

Private keys can be re-used.

I guess you use FQDN in the certificates. The Certificate needs to be replaced if the FQDN is changed. In this case you will probably need new CSRs.

If the FQDN stays then you can change DNS to point the same FQDN to the new IP and in that case certificates can stay.

If you use IP in the certificate then you will need a new one.

Regards Zdeněk Pala

Extreme Networks

Installing a second XIQ-SE virtual appliance

Installing a second XIQ-SE virtual appliance