Security

We have 3 ClearPass VMs runnnig on their own dedicated ESX servers which now need the underlying VmWare code upgrading. The upgrade process will take about 30 mins per host so ......
1). Do we just shut down the ClearPass server, do the  upgrade and bring it back ?
or
2.1. Remove host from cluster
2.2. Perform upgrade
2.3 Rebind to cluster

What sort of timeout is there before the master publisher says "Damn that cluser member is down I'll remove it from the cluster!"

What is the best option to use ?
Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

Consider it as a normal reboot. You can run the ESX upgrade and wait for the reboot, then shut down ClearPass, do the reboot and you probably have an auto-start configured to get it up again.

If I remember correctly you need to rejoin clusters only after 24 hours loss of connectivity, so more than enough to reboot your ClearPass with a hypervisor reboot. Needless to say that restarting different nodes in the cluster at different times is recommended to keep as many servers up at the same time. Also, this is a good opportunity to test your redundancy plan and see if all controllers/switches nicely switch over to their backup ClearPass servers. If you have the time, I would run some tests or analyze the logs to verify that there are no outages.

If you have enabled vMotion, you either need to disable it, or use it to live-move the ClearPass VMs to another hypervisor before it is rebooted for the upgrade.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 25, 2020 05:20 AM
From: Alex Sharaz
Subject: ClearPass ESX server maintenance question

We have 3 ClearPass VMs runnnig on their own dedicated ESX servers which now need the underlying VmWare code upgrading. The upgrade process will take about 30 mins per host so ......
1). Do we just shut down the ClearPass server, do the  upgrade and bring it back ?
or
2.1. Remove host from cluster
2.2. Perform upgrade
2.3 Rebind to cluster

What sort of timeout is there before the master publisher says "Damn that cluser member is down I'll remove it from the cluster!"

What is the best option to use ?
Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

Thanks for that Herman.

If its indeed 24 hours then we've nothing to worry about.

Our cluster consists of 

Master Publisher ( obviously) - on production VmWare service 
Clearpass 1, 2 & 4  C3000 VMs each on dedicated ESX hardware 
Clearpass 5 & 9 - C2000 hardware appliances

1,2,5 & 9 are our load-balanced auth  servers , 4 is our insight db (with cppm2 the backup one)

All our switches do health checking and can migrate to another server as appropriate
Aruba mobility controllers also do load balancing of auths so we're good to go.

Many years go, when I 1st moved from  pair of FreeRadius servers to ClearPass I made the mistake of using the 1st version of the upgrade GUI and enabled  upgrading of all the Secondary cluster members. As I sat there and watched each of the servers drop off the network to perform their upgrade without any coming back, I was really glad I still had the FreeRadius servers to do the auth. We couldn't do it now, but then again now I upgrade cluster members  1 at a time :-)


Rgds
Alex


------------------------------
Alex Sharaz
------------------------------

Original Message:
Sent: Nov 25, 2020 11:30 AM
From: Herman Robers
Subject: ClearPass ESX server maintenance question

Consider it as a normal reboot. You can run the ESX upgrade and wait for the reboot, then shut down ClearPass, do the reboot and you probably have an auto-start configured to get it up again.

If I remember correctly you need to rejoin clusters only after 24 hours loss of connectivity, so more than enough to reboot your ClearPass with a hypervisor reboot. Needless to say that restarting different nodes in the cluster at different times is recommended to keep as many servers up at the same time. Also, this is a good opportunity to test your redundancy plan and see if all controllers/switches nicely switch over to their backup ClearPass servers. If you have the time, I would run some tests or analyze the logs to verify that there are no outages.

If you have enabled vMotion, you either need to disable it, or use it to live-move the ClearPass VMs to another hypervisor before it is rebooted for the upgrade.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 25, 2020 05:20 AM
From: Alex Sharaz
Subject: ClearPass ESX server maintenance question

We have 3 ClearPass VMs runnnig on their own dedicated ESX servers which now need the underlying VmWare code upgrading. The upgrade process will take about 30 mins per host so ......
1). Do we just shut down the ClearPass server, do the  upgrade and bring it back ?
or
2.1. Remove host from cluster
2.2. Perform upgrade
2.3 Rebind to cluster

What sort of timeout is there before the master publisher says "Damn that cluser member is down I'll remove it from the cluster!"

What is the best option to use ?
Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

And it was simple really.

Didn't have to do anything

We  don't have a failover master publisher configured
Disabled automagic cnfig bckup for a bit
Downed the servers 1 at a time t let systems do their thing
each server came back  , synched with the cluster and  on to the next one.

Simples!

A

------------------------------
Alex Sharaz
------------------------------

Original Message:
Sent: Nov 25, 2020 11:30 AM
From: Herman Robers
Subject: ClearPass ESX server maintenance question

Consider it as a normal reboot. You can run the ESX upgrade and wait for the reboot, then shut down ClearPass, do the reboot and you probably have an auto-start configured to get it up again.

If I remember correctly you need to rejoin clusters only after 24 hours loss of connectivity, so more than enough to reboot your ClearPass with a hypervisor reboot. Needless to say that restarting different nodes in the cluster at different times is recommended to keep as many servers up at the same time. Also, this is a good opportunity to test your redundancy plan and see if all controllers/switches nicely switch over to their backup ClearPass servers. If you have the time, I would run some tests or analyze the logs to verify that there are no outages.

If you have enabled vMotion, you either need to disable it, or use it to live-move the ClearPass VMs to another hypervisor before it is rebooted for the upgrade.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Nov 25, 2020 05:20 AM
From: Alex Sharaz
Subject: ClearPass ESX server maintenance question

We have 3 ClearPass VMs runnnig on their own dedicated ESX servers which now need the underlying VmWare code upgrading. The upgrade process will take about 30 mins per host so ......
1). Do we just shut down the ClearPass server, do the  upgrade and bring it back ?
or
2.1. Remove host from cluster
2.2. Perform upgrade
2.3 Rebind to cluster

What sort of timeout is there before the master publisher says "Damn that cluser member is down I'll remove it from the cluster!"

What is the best option to use ?
Rgds
Alex

------------------------------
Alex Sharaz
------------------------------

-removed by mkk-