cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1333
Views
0
Helpful
3
Replies

ISE Standalone HA to new VM's

tolarosa@cisco.com
Cisco Employee
Cisco Employee

What's the best practice(s) process for migrating 2 existing ISE Standalone HA Nodes to 2 new ISE Standalone HA VM Appliances?  What are the caveats to be aware of?  Licensing, Certs, Etc? 

1 Accepted Solution

Accepted Solutions

This will work if you are replacing the nodes on the same version of ISE? Your process of shutting down secondary, standing up replacement VM on the same addressing, and joining it will work. When you join it and it syncs, it will contain an identical copy of the configuration and database. You need to patch to the same top patch of the existing deployment, and install deployment certs, export the public and private key if you want to reuse certs. You only need to install the trust certs to install any required node certs, all other trust store certs will sync when you join the node to the deployment.

The only piece that you should have to address is the licensing, but you have an eval license that will hold you over until you can sort it out. TAC will have to be involved to rehost licensing if you don't have access to the original person that fulfilled them on the licensing portal.

As Nidhi said, they will have to buy two new VM licenses since they wouldn't own any from a SNS deployment.

View solution in original post

3 Replies 3

Nidhi
Cisco Employee
Cisco Employee

when you are rehosting , 

existing valid feature licenses can be reused. you will need the VM licenses though.

Also, please refer to the link here- https://community.cisco.com/t5/security-documents/how-do-i-rehost-my-existing-ise-license-s-onto-a-new-or/ta-p/3632248

 

Which UDI do I need to re-host the licenses to during the migration to the new VM's? 

 

Here is the process I had in mind, is this the best practice process? Is there a better way?

2 existing Standalone HA VM's

- Shutdown Secondary Standalone Node

- Bring up new Standalone VM as Secondary (re-use IP) and add it to the existing Primary

- Promote new Secondary Standalone to Primary

- Now shutdown the Secondary 

- Bring up new Standalone VM as Secondary (re-use IP) and add it to the existing Primary

 

What gets synced when you connect a Secondary to a Primary Node? Configuration? Certs? Etc?

 

 

This will work if you are replacing the nodes on the same version of ISE? Your process of shutting down secondary, standing up replacement VM on the same addressing, and joining it will work. When you join it and it syncs, it will contain an identical copy of the configuration and database. You need to patch to the same top patch of the existing deployment, and install deployment certs, export the public and private key if you want to reuse certs. You only need to install the trust certs to install any required node certs, all other trust store certs will sync when you join the node to the deployment.

The only piece that you should have to address is the licensing, but you have an eval license that will hold you over until you can sort it out. TAC will have to be involved to rehost licensing if you don't have access to the original person that fulfilled them on the licensing portal.

As Nidhi said, they will have to buy two new VM licenses since they wouldn't own any from a SNS deployment.