Sunday, 17 August 2025

Recovering and Reinitializing a Standby APIC to active APIC in Cisco ACI

 Recovering and Reinitializing a Standby APIC in Cisco ACI

If you're working with a standby APIC and need to verify access or promote it to an active role, here’s a practical approach to follow.

🔐 Step 1: Accessing the Standby APIC

You can attempt to log in using the rescue-user account. This account is specifically designed for emergency access to standby controllers.

  • Try using your standard APIC admin password first.
  • If the standby APIC is in sync with the cluster, this should work.
  • If not, attempt login without a password — some configurations allow password-less access for rescue-user in isolated standby mode.

🔄 Step 2: Reinitializing the Standby APIC as Active

If you need to promote a standby APIC (e.g., APIC3) to an active role, it's best to wipe and reconfigure it from scratch. Ensure you have KVM access to the APIC before proceeding.

Run the following commands in sequence:

  1. Clean the existing configuration.
  2. Trigger the setup script on next boot.
  3. Reboot the APIC to begin the reinitialization process.
These commands will:

  • acidiag touch clean
  • acidiag touch setup
  • acidiag reboot

Once rebooted, the APIC will prompt you to configure it as part of the active cluster.

🧠 Pro Tip

Always ensure that the APIC you’re reinitializing is physically connected to the fabric and that you have console or KVM access. This process is irreversible and should only be done when you're certain the APIC is no longer needed in standby mode.

 

 Cold Standby APIC – Key Characteristics

  • Supported in both single-pod and multi-pod ACI deployments.
  • Can be connected to any leaf switch in any pod, restoring edit capabilities in minority scenarios.
  • Automatically receives firmware updates to stay in sync with the active APIC cluster.
  • During upgrades, once all active APICs are updated, the standby APIC is upgraded automatically.
  • Assigned temporary node IDs; a new ID is issued when promoted to active.
  • Admin login is disabled on standby APICs.
  • Troubleshooting is done via SSH using the rescue-user account.
  • During switchover, the replaced active APIC is powered down to avoid dual connectivity.
  • Standby APICs do not participate in policy configuration or fabric management.
  • Cisco recommends placing standby APICs in the same pod as the active ones they may replace.
  • No configuration or credential data is replicated to standby APICs — only rescue-user access is available.

 

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)