Security

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hello Cdelarosa,

My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hello guys i forgot to ask something regarding this

when I have my clearpass in HA In 6.9 or 6.10 and I would back up for 6.11.

I don't need to drop the subscriber right? 

it is ok if i just click on the publisher and then hit the backup button there.

What I don't want is that went I restore it to see the offline subscriber or something like that.  When I did this last time I was not sure so just dropped the subscriber and then backed it up but I don't think that's necessary 

Can anyone confirm this? I do not have a lab to try it out right now 

Thanks

Hello Cdelarosa,

My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hello guys i forgot to ask something regarding this

when I have my clearpass in HA In 6.9 or 6.10 and I would back up for 6.11.

I don't need to drop the subscriber right? 

it is ok if i just click on the publisher and then hit the backup button there.

What I don't want is that went I restore it to see the offline subscriber or something like that.  When I did this last time I was not sure so just dropped the subscriber and then backed it up but I don't think that's necessary 

Can anyone confirm this? I do not have a lab to try it out right now 

Thanks

Original Message:
Sent: Mar 14, 2024 03:11 PM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello Cdelarosa,

My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Hi

You don't need to drop the subscriber first. There is an option during restore to restore cluster nodes. This option is a bit unclear to me, but I have not selected this and have never seen names of the subscribers after the restore.

Regarding Failover Publisher I have seen a cluster crash due to this setting configured where the Publisher was disconnected from the network after a failed switch firmware update. When the failover was in progres the switch came back online and the Publisher was available again. This situation lead to the cluster to replication to stop., all subscribers had to be dropped and made subscribers again. This was on 6.6 or older version. But I always skip the Failover Publisher. Only case I can see a benefit to configure this is in very high intense guest deployments. Othervise manual failover of the publisher will work.

Hello guys i forgot to ask something regarding this

when I have my clearpass in HA In 6.9 or 6.10 and I would back up for 6.11.

I don't need to drop the subscriber right? 

it is ok if i just click on the publisher and then hit the backup button there.

What I don't want is that went I restore it to see the offline subscriber or something like that.  When I did this last time I was not sure so just dropped the subscriber and then backed it up but I don't think that's necessary 

Can anyone confirm this? I do not have a lab to try it out right now 

Thanks

Original Message:
Sent: Mar 14, 2024 03:11 PM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello Cdelarosa,

My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Thanks

And what about the cluster ip address config, its not saved in the config if I just back up the publisher?

I read that it does not backup network information, but I want to know if inside the backup it has the virtual IP addresses. 

Hi

You don't need to drop the subscriber first. There is an option during restore to restore cluster nodes. This option is a bit unclear to me, but I have not selected this and have never seen names of the subscribers after the restore.

Regarding Failover Publisher I have seen a cluster crash due to this setting configured where the Publisher was disconnected from the network after a failed switch firmware update. When the failover was in progres the switch came back online and the Publisher was available again. This situation lead to the cluster to replication to stop., all subscribers had to be dropped and made subscribers again. This was on 6.6 or older version. But I always skip the Failover Publisher. Only case I can see a benefit to configure this is in very high intense guest deployments. Othervise manual failover of the publisher will work.

Hello guys i forgot to ask something regarding this

when I have my clearpass in HA In 6.9 or 6.10 and I would back up for 6.11.

I don't need to drop the subscriber right? 

it is ok if i just click on the publisher and then hit the backup button there.

What I don't want is that went I restore it to see the offline subscriber or something like that.  When I did this last time I was not sure so just dropped the subscriber and then backed it up but I don't think that's necessary 

Can anyone confirm this? I do not have a lab to try it out right now 

Thanks

Original Message:
Sent: Mar 14, 2024 03:11 PM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello Cdelarosa,

My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

I did a really fast lab and it seems that it restore the Virtual IPs but It does not have it assign it to any CPPM so I guess i would just need to assign the CPPMs to the Virtual IPs 

I guess if you do this, this way it will be fine and i don't need to destroy the Virtual Ips to then backup, to then create them in the new clearpass right? 

Thanks

And what about the cluster ip address config, its not saved in the config if I just back up the publisher?

I read that it does not backup network information, but I want to know if inside the backup it has the virtual IP addresses. 

Hi

You don't need to drop the subscriber first. There is an option during restore to restore cluster nodes. This option is a bit unclear to me, but I have not selected this and have never seen names of the subscribers after the restore.

Regarding Failover Publisher I have seen a cluster crash due to this setting configured where the Publisher was disconnected from the network after a failed switch firmware update. When the failover was in progres the switch came back online and the Publisher was available again. This situation lead to the cluster to replication to stop., all subscribers had to be dropped and made subscribers again. This was on 6.6 or older version. But I always skip the Failover Publisher. Only case I can see a benefit to configure this is in very high intense guest deployments. Othervise manual failover of the publisher will work.

Hello guys i forgot to ask something regarding this

when I have my clearpass in HA In 6.9 or 6.10 and I would back up for 6.11.

I don't need to drop the subscriber right? 

it is ok if i just click on the publisher and then hit the backup button there.

What I don't want is that went I restore it to see the offline subscriber or something like that.  When I did this last time I was not sure so just dropped the subscriber and then backed it up but I don't think that's necessary 

Can anyone confirm this? I do not have a lab to try it out right now 

Thanks

Original Message:
Sent: Mar 14, 2024 03:11 PM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello Cdelarosa,

My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks

Im not sure if this test is valid because i did this test backing it up in a 6.11 server and restoring it on another 6.11 server, and the real test is going from 6.9.13 to 6.11

I did a really fast lab and it seems that it restore the Virtual IPs but It does not have it assign it to any CPPM so I guess i would just need to assign the CPPMs to the Virtual IPs 

I guess if you do this, this way it will be fine and i don't need to destroy the Virtual Ips to then backup, to then create them in the new clearpass right? 

Thanks

And what about the cluster ip address config, its not saved in the config if I just back up the publisher?

I read that it does not backup network information, but I want to know if inside the backup it has the virtual IP addresses. 

Hi

You don't need to drop the subscriber first. There is an option during restore to restore cluster nodes. This option is a bit unclear to me, but I have not selected this and have never seen names of the subscribers after the restore.

Regarding Failover Publisher I have seen a cluster crash due to this setting configured where the Publisher was disconnected from the network after a failed switch firmware update. When the failover was in progres the switch came back online and the Publisher was available again. This situation lead to the cluster to replication to stop., all subscribers had to be dropped and made subscribers again. This was on 6.6 or older version. But I always skip the Failover Publisher. Only case I can see a benefit to configure this is in very high intense guest deployments. Othervise manual failover of the publisher will work.

Hello guys i forgot to ask something regarding this

when I have my clearpass in HA In 6.9 or 6.10 and I would back up for 6.11.

I don't need to drop the subscriber right? 

it is ok if i just click on the publisher and then hit the backup button there.

What I don't want is that went I restore it to see the offline subscriber or something like that.  When I did this last time I was not sure so just dropped the subscriber and then backed it up but I don't think that's necessary 

Can anyone confirm this? I do not have a lab to try it out right now 

Thanks

Original Message:
Sent: Mar 14, 2024 03:11 PM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello Cdelarosa,

My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.

Hello Cochranes I have a question for you!

If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM.  Let's say the subscriber takes the role of publisher.  What happens when the original publisher gets back? and both are publishers???  that would not create a conflict. or what would happen here?

Glad everything seems to have gone well so far! 

We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot  so we wanted to prevent unwanted failover. Here is what I found on it below:

I would be intersted to hear anyones informed perspective on this as well.

Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello everyone

Thanks for all your feedback 

It was really useful to me 

It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine

Thanks again!

Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade

Does aruba have  recommended fail over time for that entry ?

Does anyone know? 

Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello,

I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.

Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm

Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

So you dont create a cluster in parallel? 

i was thinking on doing thtat because i read about it 

Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber 

if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to  put it toguether again

I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then  in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it.  This is what you did? or whats stepts you fallow for your successfull  upgrade?

Thanks

Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hi,

I will add some sub points from my  2 previous migrations:

3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)

3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped

3.3 I'm not sure but take note of enabled certificates in trust list.

4.1 restore static routes and server parameters (and maybe trust list certificate you will use)

5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one

8.1 license are in backup but plateform need to be add when you connect to GUI the first time 

8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case

i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber

If it can help.

Regards,

------------------------------
StephaneLALARDIE

Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11

Hello i was wondering what would be the stepds to do this 

I was thinking in something like this but still have some  doubts i have never done this

Here is the list of things

Feel free to tell me if its the wrong way to do it or if there is a better way 

1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses

4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it  reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber

Any helps is appreciated

Thanks