Re: Cisco ISE migration from Legacy 3315 to updated 3415 process

asimkhan_14 · ‎08-09-2016

Hi,

Anybody can assist in understanding me the Migration of Cisco ISE from old appliance 3315 to 3415. Current setup is running on 3315 with 2 node deployment 1250 Base and 1250 Plus licenses installed.

since 3315 is End of life what would be the smooth migration process from 3315 to 3415 with zero down time.???

nspasov · ‎08-23-2016

Hi there. Here is what I would suggest:

1. Read the Admin Guide and get familiar with the process of backup/restore and appliance replacement:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html

2. The Downtime would depend on your deployment and and options here. If you have redundant appliances then it is possible to de-register that you are replacing and then register the new appliance and let the database replicate.

3. If that is not possible then you might have to do backup/restore. With this you need to keep in mind that not everything is restored! For instance, certificates and licenses are two of the main things to consider

3. If you will be replacing the primary admin node then you will need to obtain new licenses as those are tied to the UID of the server. For that you will need to reach out to Cisco.

I hope this helps!

Thank you for rating helpful posts!

asimkhan_14 · ‎08-24-2016

Dear Neno Spasov,

thank you so such for your informative suggestions. Let me clarify you further that the existing setup is running on 2 nodes and roles are divided as follows:

Node 1:PAN primary,MNT Secondary, PSN secondary

Node 2: PAN Secondary, MNT Primary and PSN primray.

So as my understanding from your post i should perform the following steps.

Take backup from existing Node1 (PAN Primary)
De-register the Node 2 which leaves existing Node 1 standalone.
Import the NEW Appliance certificate to existing Node 1 (PAN primary).
Register the NEW Appliance to Existing PAN Primary node as Secondary PAN, Primary MNT and PSN.
Manually Switch the Existing Node 1 i.e Primary PAN to Secondary PAN ( i hope this leave new appliance primary PAN).
De-register the Node 1(which is running PAN Secondary).
Import 2nd NEW appliance certificate to NEW appliance NEW PAN primary.
Register the second NEW appliance as secondary PAN, Primary MNT &PSN.
Once above done apply the new UID license(re-hosted) to PAN primary node.

Kindly confirm above steps will be good to perform during appliances replacement and i hope all client machines(existing & NEW) will be automatically authenticated from NEWLY deployed nodes.

Appreciating your comments....

asimkhan_14 · ‎08-25-2016

@Neno Spasov

Could you please check the my above reply and advise if anything else is required???

nspasov · ‎08-25-2016

Sorry for the delay. What you have outlined is good. A couple of things I would suggest:

1. Do what Marvin suggested with regards to the certificates and get those exported along with the private keys ahead of time. That way you can import them once the new appliances are ready and you won't have to deal with the self-signed ones

2. I would also request the new licenses ahead of time. You should have the UID as soon as you are able to login to the servers.

Thank you for rating helpful posts!

asimkhan_14 · ‎08-27-2016

Thank you very much for the advice Neno.

I will export the current certificates from existing node prior to start registering new nodes and will import them once new appliances are ready.

Regarding the licenses i will contact Cisco support as soon as ready with the new setup.

I will post you the result in next comment

Marvin Rhoads · ‎08-23-2016

What Neno said plus...

1. I'd skip the SNS-3415 as it already has an end of sales announcement:

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-737032.html

Go with the SNS-3515 instead.

2. You can export certificate with private key from the current PAN and re-use it for the new upgraded deployment.

asimkhan_14 · ‎08-24-2016

Dear Marvin Rhoads

Thanks for letting us know about that SNS-3415 is end of sale i have seen that October 7, 2016 is the last date for this model sale

I would highly appreciate if please clarify me the use & benefit of exporting certificate from current PAN and import into new upgraded PAN node.

Marvin Rhoads · ‎08-24-2016

asimkhan_14

The advantage of migrating the certificate is that you don't have to create a new CSR and get the original certificate re-issued. Depending on how your organization procures certificates, that can save time and reduce the dependency on other staff during your migration process.

asimkhan_14 · ‎08-25-2016

@Marvin Rhoads

Thank you so much for clarifying the advantage of exporting the original certificate to new deployment nodes which will helps clients to keep continuously using the original certificate during (OR)post migration for authentication to save down time.

Wilber Baldeon · ‎05-09-2019

Hello,

Could you tell me if your procedure I made of appliance migration.

Also if you can have a primary administrator node with SNS3415 and the secondary node with SNS3515

hslai · ‎05-11-2019

What nspasov wrote would work for both SNS hardware appliances and ISE virtual appliances.

We may mix different SNS appliances and VMs in the same deployment. Please read the sizing chart to plan accordingly.