cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

166
Views
0
Helpful
3
Replies
Cisco Employee

ISE Standalone HA to new VM's

What's the best practice(s) process for migrating 2 existing ISE Standalone HA Nodes to 2 new ISE Standalone HA VM Appliances?  What are the caveats to be aware of?  Licensing, Certs, Etc? 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: ISE Standalone HA to new VM's

This will work if you are replacing the nodes on the same version of ISE? Your process of shutting down secondary, standing up replacement VM on the same addressing, and joining it will work. When you join it and it syncs, it will contain an identical copy of the configuration and database. You need to patch to the same top patch of the existing deployment, and install deployment certs, export the public and private key if you want to reuse certs. You only need to install the trust certs to install any required node certs, all other trust store certs will sync when you join the node to the deployment.

The only piece that you should have to address is the licensing, but you have an eval license that will hold you over until you can sort it out. TAC will have to be involved to rehost licensing if you don't have access to the original person that fulfilled them on the licensing portal.

As Nidhi said, they will have to buy two new VM licenses since they wouldn't own any from a SNS deployment.

View solution in original post

3 REPLIES 3
Cisco Employee

Re: ISE Standalone HA to new VM's

when you are rehosting , 

existing valid feature licenses can be reused. you will need the VM licenses though.

Also, please refer to the link here- https://community.cisco.com/t5/security-documents/how-do-i-rehost-my-existing-ise-license-s-onto-a-new-or/ta-p/3632248

Cisco Employee

Re: ISE Standalone HA to new VM's

 

Which UDI do I need to re-host the licenses to during the migration to the new VM's? 

 

Here is the process I had in mind, is this the best practice process? Is there a better way?

2 existing Standalone HA VM's

- Shutdown Secondary Standalone Node

- Bring up new Standalone VM as Secondary (re-use IP) and add it to the existing Primary

- Promote new Secondary Standalone to Primary

- Now shutdown the Secondary 

- Bring up new Standalone VM as Secondary (re-use IP) and add it to the existing Primary

 

What gets synced when you connect a Secondary to a Primary Node? Configuration? Certs? Etc?

 

 

VIP Advocate

Re: ISE Standalone HA to new VM's

This will work if you are replacing the nodes on the same version of ISE? Your process of shutting down secondary, standing up replacement VM on the same addressing, and joining it will work. When you join it and it syncs, it will contain an identical copy of the configuration and database. You need to patch to the same top patch of the existing deployment, and install deployment certs, export the public and private key if you want to reuse certs. You only need to install the trust certs to install any required node certs, all other trust store certs will sync when you join the node to the deployment.

The only piece that you should have to address is the licensing, but you have an eval license that will hold you over until you can sort it out. TAC will have to be involved to rehost licensing if you don't have access to the original person that fulfilled them on the licensing portal.

As Nidhi said, they will have to buy two new VM licenses since they wouldn't own any from a SNS deployment.

View solution in original post