Deleting a Hub Site
You can delete a primary hub if the primary hub is in a failed state and no branch sites have been provisioned.
If both the primary hub and transit hub are in failed state, you must delete the transit hub first in order to delete the primary hub. If the delete operation succeeds, both the primary hub and transit hub are reset to the brownfield validation state.
When a hub is deleted after hub provisioning fails, the Cisco IWAN application does the following:
- Revokes the PKI certificate and trustpoint.
- Releases the IP addresses to the IP address pool.
- Deletes the hub from the inventory.
If the delete operation succeeds, the hub is removed from Sites page.
Note The hub site is deleted on a best-effort basis. If the devices are unreachable, they are not restored to the original configuration. In this case, you must manually clean up the configuration on the devices. See Manually Cleaning Up Devices.
You can re-provision the hub from the Configure Hub Site page as part of the hub provisioning (see Wizard Step 5—Configuring the IWAN Aggregation Site.
Deleting Branch Sites
You can delete branch sites from IWAN irrespective of the branch state—in progress, provisioned, or failed.
Procedure
Step 1 From the Cisco IWAN home page, click Manage Branch Sites. The Sites page opens.
Step 2 Click the Site(s) tab. From the Action column in the Site Status page, click the X icon to delete the site.
Note Branch sites are deleted on a best-effort basis. If the devices are unreachable, they are not restored to the bootstrap configuration. In this case, you must manually clean up the configuration on the devices. See Manually Cleaning Up Devices.
When a branch site is deleted, the Cisco IWAN application performs the following:
- Revokes the PKI certificates and trust points.
- Releases the IP addresses from IP address pools.
- Cleans the site information from the database.
- Does the following to try to revert the routers of the deleted site to the bootstrap configuration file: IWAN_RECOVERY.cfg. Does the following:
– Copies the IWAN_RECOVERY.cfg to the startup configuration.
– Reloads the device.
See Backup and Restore.
After the site is deleted, the branch devices are removed from the Devices tab and are displayed in the unclaimed device list, thereby, allowing you to re-provision the branch site.
Manually Cleaning Up Devices
After a hub site, transit-hub site, or branch site delete operation, the devices in the site are deleted on the best-effort basis. If the devices are unreachable, they are not restored to the original configuration. In this case, you must manually clean up the configuration on the devices.
Use this procedure to manually clean up the configuration on the devices.
Procedure
Step 1 Remove the IWAN PKI trust point. Use the following command:
no crypto pki trustpoint sdn-network-infra-iwan
Step 2 Remove the IWAN RSA key from NVRAM. Use the following commands:
crypto key zeroize rsa sdn-network-infra-iwan
write erase
Step 3 Restore the original configuration. Use the following commands:
config replace bootflash:<original-config-file> force
write
RPRE-GA-1-HUB-INET# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
PRE-GA-1-HUB-INET(config)# no crypto pki trustpoint sdn-network-infra-iwan
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.
PRE-GA-1-HUB-INET(config)# crypto key zeroize rsa sdn-network-infra-iwan
Do you really want to remove these keys? [yes/no]: yes
PRE-GA-1-HUB-INET(config)# end
PRE-GA-1-HUB-INET# write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
PRE-GA-1-HUB-INET# config replace bootflash:clean-config force
%EIGRP: Deleting base topology is not allowed.
% Interface GigabitEthernet0/0/4 IPv4 disabled and address(es) removed due to enabling VRF IWAN-TRANSPORT-2% Profile is applied to Tunnel11-head-0 (head) and possibly other crypto maps
% No such key-chain% Profile is applied to Tunnel11-head-0 (head) and possibly other crypto maps% Profile is applied to Tunnel11-head-0 (head) and possibly other crypto maps% Profile is applied to Tunnel11-head-0 (head) and possibly other crypto maps% Profile is applied to Tunnel11-head-0 (head) and possibly other crypto maps
The rollback configlet from the last pass is listed below:
********
!List of Rollback Commands:
no crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-2
end
********
Rollback aborted after 5 passes
PRE-GA-1-HUB-INET# write