Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
0
Helpful
5
Replies

Converting from 34xx appliances to VM

Go to solution
gjw_csco
Cisco Employee
Cisco Employee

‎06-06-2019 08:39 AM

Environment is running an ISE cluster with four 34xx appliances: 

 

- Active/Standby PAN & MnT

- 2 x PSN

 

Customer would like to consolidate into two appliances based on their concurrent session count and also migrate to VM since appliances due to EoS/EoL announcements.

 

Questions:

1. Do we support running active on VM and standby on physical appliance for short/medium term? Does the VM need specific requirements?

2. When we take the current standby appliance out of cluster, then integrate VM, and do database sync...is there anything, such as certificates, that need to manually configured on standby VM?

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to gjw_csco

‎06-09-2019 06:29 PM

Pretty straight forward process and there are quite a few way to do it, you won't have issues joining VM's to a physical node deployment. Also, because NADs are probably configured for PSN IP's, I would try to put both new standalone VM's on those IP's. It would look something like this.

1. Deregister a PSN and shut it down.
2. Deregister secondary PAN and shut it down.
3. Deploy a new 2.4 OVA, ideally 600GB+ since it will also host MNT serivces.
4. Run the setup and reuse the shut down PSN hostname/IP (or change DNS).
5. Install certificates if you use common certs across the nodes today.
6. Patch it to the same as the current PAN/deployment.
7. Register it to the deployment selecting admin, mnt, and policy services roles.
8. Promote this new node to primary MNT and primary admin.
9. Deregister and shut down appliance admin node and PSN.
10. Deploy a new 2.4 OVA, again ideally 600+ GB.
11. Install certs, patch, and register.

At this point you will have two VM nodes left running PAN, MNT and PSN services. This certainly isn't the only way, but viable if you have two radius servers configured on each NAD. Probably wise to expand upon my high level task list to include more specifics if presenting it to a client to do. An alternative to save some single point of failure time is to pre deploy the new 2.4 VM's and stage them at the setup script. If you don't want to reuse IP's, you could deploy the OVA's, join the nodes with new IP's and hostnames, then decommission the four old nodes.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-07-2019 02:39 AM

For 1st question, yes the VM has specific requirements based on the sizing
(ideally you use an OVA template). See below.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_01.html

For 2nd question, when you deregister a node from the cluster, its local
certificates disappear and you need to import the new ones related to the
VM after it joins the cluster. The only certificates which gets replicated
are wildcard certs.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-07-2019 09:39 AM

Are they planning to upgrade the deployment at the same time, or would they prefer to remain on the version they are on now? we can help you with the process either way but it will differ.
0 Helpful

Go to solution
gjw_csco
Cisco Employee
Cisco Employee
In response to Damien Miller

‎06-09-2019 06:17 PM

They already upgraded to 2.4.x and then realized the 34xx appliances were not supported, so now they're working towards getting things migrated to VM's. 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to gjw_csco

‎06-09-2019 06:29 PM

Pretty straight forward process and there are quite a few way to do it, you won't have issues joining VM's to a physical node deployment. Also, because NADs are probably configured for PSN IP's, I would try to put both new standalone VM's on those IP's. It would look something like this.

1. Deregister a PSN and shut it down.
2. Deregister secondary PAN and shut it down.
3. Deploy a new 2.4 OVA, ideally 600GB+ since it will also host MNT serivces.
4. Run the setup and reuse the shut down PSN hostname/IP (or change DNS).
5. Install certificates if you use common certs across the nodes today.
6. Patch it to the same as the current PAN/deployment.
7. Register it to the deployment selecting admin, mnt, and policy services roles.
8. Promote this new node to primary MNT and primary admin.
9. Deregister and shut down appliance admin node and PSN.
10. Deploy a new 2.4 OVA, again ideally 600+ GB.
11. Install certs, patch, and register.

At this point you will have two VM nodes left running PAN, MNT and PSN services. This certainly isn't the only way, but viable if you have two radius servers configured on each NAD. Probably wise to expand upon my high level task list to include more specifics if presenting it to a client to do. An alternative to save some single point of failure time is to pre deploy the new 2.4 VM's and stage them at the setup script. If you don't want to reuse IP's, you could deploy the OVA's, join the nodes with new IP's and hostnames, then decommission the four old nodes.
0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Damien Miller

‎06-10-2019 01:24 AM

Damien is correct , there are many ways you can achieve upgrades and really depends on your existing environment and requirements

Another doc that may be useful and give you some ideas is :

 

https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934#toc-hId--718381845

 

 

 

0 Helpful
Customers Also Viewed These Support Documents