Solved: procedure to migrate from an in production PAN-MNT HA node pair

mpeeters · ‎01-29-2019

Is there a document that walks through the procedure to convert an in production ISE deployment where the PAN-MNT (primary and secondary) nodes to separate pan and mnt HA nodes ?

Will there be any impact to the customer as a result of this migration. For example any loss of events or other ?

Damien Miller · ‎01-29-2019

I haven't seen a document/guide covering breaking out a hybrid deployment in to a distributed, but one way that it can be done with relatively little downtime would be as follows.

1. Deploy, patch, install certs, on the two new future MNT nodes.
2. From the GUI, disable the MNT persona on the secondary admin node, hit save, and the node will restart and be back up within about 10-15 minutes.
3. Register one of the two new nodes you previously prepped as Secondary MNT.
4. From the GUI, disable the MNT persona on the PAN, hit save, and the node will restart and be back up within 10-15 minutes.
5. Register the other new node, this time selecting primary MNT as the role.

You can run without both MNT nodes, you just wont have any visibility in to the environment/authentication. The PAN node plays different roles in different deployments, but in a hybrid deployment, it's like that the existing user authentication remains relatively unscathed with the PSN's handling this direct. This section in the admin guide covers what features will be temporarily unavailable while the PAN reloads. If the PAN also handles PSN functions then NAD HA would have to be considered.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

Because you are moving the monitoring roles, this will also mean you have no historical logs. This data is not synced between monitoring nodes, but it can be restored if needed. I wouldn't bother restoring the MNT logs, the default only goes back 30 days anyways, new logs will begin filling the disk as soon as the new MNT's are online. If it's important, the operational data (MNT logs) can be backed up and restored.

View solution in original post

Damien Miller · ‎01-29-2019

I haven't seen a document/guide covering breaking out a hybrid deployment in to a distributed, but one way that it can be done with relatively little downtime would be as follows.

1. Deploy, patch, install certs, on the two new future MNT nodes.
2. From the GUI, disable the MNT persona on the secondary admin node, hit save, and the node will restart and be back up within about 10-15 minutes.
3. Register one of the two new nodes you previously prepped as Secondary MNT.
4. From the GUI, disable the MNT persona on the PAN, hit save, and the node will restart and be back up within 10-15 minutes.
5. Register the other new node, this time selecting primary MNT as the role.

You can run without both MNT nodes, you just wont have any visibility in to the environment/authentication. The PAN node plays different roles in different deployments, but in a hybrid deployment, it's like that the existing user authentication remains relatively unscathed with the PSN's handling this direct. This section in the admin guide covers what features will be temporarily unavailable while the PAN reloads. If the PAN also handles PSN functions then NAD HA would have to be considered.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

Because you are moving the monitoring roles, this will also mean you have no historical logs. This data is not synced between monitoring nodes, but it can be restored if needed. I wouldn't bother restoring the MNT logs, the default only goes back 30 days anyways, new logs will begin filling the disk as soon as the new MNT's are online. If it's important, the operational data (MNT logs) can be backed up and restored.