topic Virtual ISE - Vmotion in Network Access Control

Virtual ISE - Vmotion

ryanmbess — Tue, 10 Feb 2026 14:49:39 GMT

Hello all,

We are entertaining virtual cisco ISE as a PSN for one of our remote sites. It seems like all the live/hot vmotion problems have been fixed. Is anyone using virtual ISE and can validate the vmotion concerns are no longer there?

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_2.html

VMware virtual machine requirements
You can use the VMware migration feature to migrate VM instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration.

Hot migration is also called live migration or vMotion. You do not need to shut down or power off Cisco ISE during hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.

Cisco ISE must be shutdown and powered off for cold migration. Cisco ISE does not allow to stop or pause the database operations during cold migration. Hence, ensure that Cisco ISE is not running and active during the cold migration.

Re: Virtual ISE - Vmotion

balaji.bandi — Tue, 10 Feb 2026 16:05:58 GMT

Live vMotion (Hot Migration) is now fully supported.

what is your average round-trip latency? (ISE is sensitive to anything over 300ms for database replication)

Re: Virtual ISE - Vmotion

Arne Bier — Tue, 10 Feb 2026 20:27:35 GMT

I have been using live vMotion since ISE 3.3 and never noticed any issues as a result of using it. In my customer scenarios they don't tend to include ISE in DRS groups (as far as I know) but I know that they will deliberately vacate VMs (including ISE) to upgrade/patch the ESXi hosts.

I would trust that VMWare have done a reliable job in ensuring there is no data loss or corruption.

There is more chance of breaking your ISE by doing a sanctioned ISE patch or upgrade.

Re: Virtual ISE - Vmotion

Marcelo Morais — Fri, 13 Feb 2026 02:51:36 GMT

@ryanmbess ,

vMotion is supported since ISE 3.1.

My preferences for a vMotion are:

1st Cold vMotion

ISE Nodes shutdown:

ise/admin# halt

2nd "Cold vMotion"

ISE Nodes with "application stop":

ise/admin# application stop ise

3rd Hot vMotion

ISE Nodes up and running

Tested since ISE 3.3 P4 !

Hope this helps !

Re: Virtual ISE - Vmotion

balaji.bandi — Fri, 13 Feb 2026 07:53:18 GMT

So none of the 3 options causes data loss. To my knowledge, (never had a virtual environment though for ISE)

Once I had a bad experience due to VM resources - ISE had a performance issue, so I prefer physical somehow.

Re: Virtual ISE - Vmotion

ryanmbess — Fri, 13 Feb 2026 12:04:26 GMT

Thanks. It's encouraging to hear that you've had success with live vMotions.

Re: Virtual ISE - Vmotion

Marcelo Morais — Fri, 13 Feb 2026 12:44:41 GMT

@balaji.bandi ,

yes, none of the 3 options causes Data Loss

PS: what I prefer about VM over the SNS is that the SNS Appliance supports the UEFI (Unified Extensible Firmware Interface) Secure Boot feature, which ensures that only a signed Cisco ISE image can be installed, in other words, although the SNS is a Cisco UCS C, the SNS Appliance are a dedicated Appliance ONLY for Cisco ISE, and cannot be repurposed ... please take a look at:

ISE - What we need to know about SNS / VM .