topic Re: Upgrade from SNS-3595-K9 to SNS-3795-K9 in Network Access Control

Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly — Tue, 26 Mar 2024 15:57:17 GMT

Hello,

I have two ISE 3595 (3.2 Patch 3) physical appliances, one in each Data Centre. They will be end-of-life in a few months. They are currently used for Wired NAC with Posturing, Wireless NAC (corporate, BYOD and Guest and Hotspot). It is also used for TACACS+.

They are being replaced with two SNS-3795 physical appliances.

My aim is to build both of these in a lab by backing up the config and operation databases on the 3595 and restoring on the 3795. The new appliance will have the same IP address, same hostname, same OS version and same patch level.

On the night of migration, I will move the current network cables from the current 3595 to the new 3795 in the hope of completing this in one clean swoop. I can roll back to the 3595s easily if necessary.

Is there anything I need to be aware of:

join to AD domain
certificate migration
licensing
anything else.

Thanks Anthony.

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

davidgfriedman — Tue, 26 Mar 2024 17:17:40 GMT

I thought SNS-3595 was more than upgraded by going to an SNS-3655 or SNS-3755 level device For a 2-node deployment, I'd think going to a pair of SNS-3795's was overkill. Does anyone from Cisco want to chime in?

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

ahollifield — Tue, 26 Mar 2024 18:31:07 GMT

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

You will need to re-join to AD. You will need to export/import the certificates. Keep an eye on DNS changes needed as well.

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly — Wed, 27 Mar 2024 17:38:02 GMT

Thanks for this.

I was thinking of this method, it is probably not recommended.

Could you do this?

Build both new ISE 3795 appliances with the same OS and Patch (3.2 Patch 3) in the lab.
Move the Admin and MnT mode to the ISE01
Remove the old secondary ISE appliance. (ISE02)
Join the new ISE appliance, let them sync. With this the primary will be 3595 and the secondary will be 3795
Failover admin and MnT to the secondary. (New-ISE02)
Remove the old primary, join the new ISE and let them sync, now both appliance will be 3795
Then at the end the following will be running:

ISE01 - Primary Admin, Secondary MnT

ISE02 - Secondary Admin, Primary MnT

Is this lazy way possible?

Thanks

Anthony

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

ahollifield — Wed, 27 Mar 2024 19:31:03 GMT

Yeah this should work. As long as you are ok with the redundancy concerns.

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly — Wed, 27 Mar 2024 22:12:25 GMT

Hi,

When you say redundancy concerns, are you referring to the time when both ISE appliance are not in sync and the Admin and MnT personas running on the same node?

Thanks

Anthony.

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

ahollifield — Wed, 27 Mar 2024 22:36:46 GMT

No when you only have a single ISE node online at a time. This is a small deployment with only two nodes correct?

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly — Thu, 28 Mar 2024 09:52:13 GMT

Yes, it is only a two-mode deployment.

Can you have a two node deployment where two node have different physical hardware. e.g 3595 and a 3795?

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

ahollifield — Thu, 28 Mar 2024 10:29:57 GMT

It should be fine for the purposes of the migration. Its nothing you want to leave for very long though as you will have mismatched scale.

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly — Thu, 28 Mar 2024 10:42:04 GMT

Hi,

I had a typo, the new ISE appliance will be a SNS-3755-K9 not a SNS-3795-K9. Does this impact my plan above?

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

ahollifield — Thu, 28 Mar 2024 10:50:57 GMT

Nope

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly — Wed, 30 Oct 2024 10:15:55 GMT

Hello, Me again.

I have another upgrade.

I am thinking instead of the approach above, I am thinking of using a DR approach.

These are my steps which should cut down the migration time and have a good rollback option.

Pre-Reqs

Take backups of config and operational DBs
Take backups of policy set and certificates.
Build new appliances in lab, same IP, same ISE version and patch level.
Restore config and operation DBs
Check policy set and certificates.
Make sure appliances in lab are identical to live environment.

Migration:

Power down old appliances
Move network cables
Power up new appliances
Make sure deployment is in sync (this is a two mode deployment)
Review live logs, alarms, health check
Test.
Failover to secondary
Test
Failback to primary
Test.

If there is a big issues, power down, move cables back to old appliances and power up.

Can you forsee any issues with this method?

Thanks

Anthony.

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

ahollifield — Wed, 30 Oct 2024 11:04:09 GMT

I wouldn't bother with an operational backup. Those are can be quite large and do you really need that data? How can you spin up nodes in a lab with the same IP? I assume the lab is fully disconnected from production?

Re: Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly — Wed, 30 Oct 2024 11:22:30 GMT

Yes, the lab is completely isolated. It is not even on the customer site.

I was just going to restore the operational DB as this doesn't take much time and less chances of having any issues.