Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2025
Views
4
Helpful
13
Replies

Upgrade from SNS-3595-K9 to SNS-3795-K9

Anthony O'Reilly
Level 3
Level 3

‎03-26-2024 08:57 AM

Hello,

I have two ISE 3595 (3.2 Patch 3) physical appliances, one in each Data Centre. They will be end-of-life in a few months. They are currently used for Wired NAC with Posturing, Wireless NAC (corporate, BYOD and Guest and Hotspot). It is also used for TACACS+.

They are being replaced with two SNS-3795 physical appliances.

My aim is to build both of these in a lab by backing up the config and operation databases on the 3595 and restoring on the 3795. The new appliance will have the same IP address, same hostname, same OS version and same patch level.

On the night of migration, I will move the current network cables from the current 3595 to the new 3795 in the hope of completing this in one clean swoop. I can roll back to the 3595s easily if necessary.

Is there anything I need to be aware of:

  • join to AD domain
  • certificate migration
  • licensing
  • anything else.

Thanks Anthony.

 

0 Helpful
13 Replies 13

davidgfriedman
Level 1
Level 1

‎03-26-2024 10:17 AM

I thought SNS-3595 was more than upgraded by going to an SNS-3655 or SNS-3755 level device  For a 2-node deployment, I'd think going to a pair of SNS-3795's was overkill.  Does anyone from Cisco want to chime in?

0 Helpful

ahollifield
VIP
VIP

‎03-26-2024 11:29 AM - edited ‎03-26-2024 11:31 AM

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

You will need to re-join to AD.  You will need to export/import the certificates.  Keep an eye on DNS changes needed as well.  

Anthony O'Reilly
Level 3
Level 3
In response to ahollifield

‎03-27-2024 10:38 AM

Thanks for this.

I was thinking of this method, it is probably not recommended.

Could you do this?

  1. Build both new ISE 3795 appliances with the same OS and Patch (3.2 Patch 3) in the lab.
  2. Move the Admin and MnT mode to the ISE01
  3. Remove the old secondary ISE appliance. (ISE02)
  4. Join the new ISE appliance, let them sync. With this the primary will be 3595 and the secondary will be 3795
  5. Failover admin and MnT to the secondary. (New-ISE02)
  6. Remove the old primary, join the new ISE and let them sync, now both appliance will be 3795
  7. Then at the end the following will be running:

ISE01 - Primary Admin, Secondary MnT

ISE02 - Secondary Admin, Primary MnT

Is this lazy way possible?

Thanks

Anthony

 

0 Helpful

ahollifield
VIP
VIP
In response to Anthony O'Reilly

‎03-27-2024 12:31 PM

Yeah this should work.  As long as you are ok with the redundancy concerns.

Anthony O'Reilly
Level 3
Level 3
In response to ahollifield

‎03-27-2024 03:12 PM

Hi,

When you say redundancy concerns, are you referring to the time when both ISE appliance are not in sync and the Admin and MnT personas running on the same node?

Thanks

Anthony.

0 Helpful

ahollifield
VIP
VIP
In response to Anthony O'Reilly

‎03-27-2024 03:36 PM

No when you only have a single ISE node online at a time. This is a small deployment with only two nodes correct?

Anthony O'Reilly
Level 3
Level 3
In response to ahollifield

‎03-28-2024 02:52 AM

Yes, it is only a two-mode deployment.

Can you have a two node deployment where two node have different physical hardware. e.g 3595 and a 3795?

0 Helpful

ahollifield
VIP
VIP
In response to Anthony O'Reilly

‎03-28-2024 03:29 AM

It should be fine for the purposes of the migration. Its nothing you want to leave for very long though as you will have mismatched scale.

Anthony O'Reilly
Level 3
Level 3
In response to ahollifield

‎03-28-2024 03:42 AM

Hi,

I had a typo, the new ISE appliance will be a SNS-3755-K9 not a SNS-3795-K9. Does this impact my plan above?

 

0 Helpful

ahollifield
VIP
VIP
In response to Anthony O'Reilly

‎03-28-2024 03:50 AM

Nope
0 Helpful

Anthony O'Reilly
Level 3
Level 3

‎10-30-2024 03:15 AM

Hello, Me again.

I have another upgrade. 

I am thinking instead of the approach above, I am thinking of using a DR approach.

These are my steps which should cut down the migration time and have a good rollback option.

Pre-Reqs

  1. Take backups of config and operational DBs
  2. Take backups of policy set and certificates.
  3. Build new appliances in lab, same IP, same ISE version and patch level.
  4. Restore config and operation DBs
  5. Check policy set and certificates. 
  6. Make sure appliances in lab are identical to live environment.

Migration:

  1. Power down old appliances
  2. Move network cables
  3. Power up new appliances
  4. Make sure deployment is in sync (this is a two mode deployment)
  5.  Review live logs, alarms, health check
  6. Test.
  7. Failover to secondary
  8. Test
  9. Failback to primary
  10. Test.

If there is a big issues, power down, move cables back to old appliances and power up.

Can you forsee any issues with this method?

 

Thanks

Anthony.

0 Helpful

ahollifield
VIP
VIP
In response to Anthony O'Reilly

‎10-30-2024 04:04 AM

I wouldn't bother with an operational backup.  Those are can be quite large and do you really need that data?  How can you spin up nodes in a lab with the same IP?  I assume the lab is fully disconnected from production?

0 Helpful

Anthony O'Reilly
Level 3
Level 3

‎10-30-2024 04:22 AM

Yes, the lab is completely isolated. It is not even on the customer site.

I was just going to restore the operational DB as this doesn't take much time and less chances of having any issues.

0 Helpful
Customers Also Viewed These Support Documents