My understanding and previsous experience suggests that the failed publisher should come back and jointhe cluster but will not take over without manual intervention.
Original Message:
Sent: Mar 14, 2024 01:32 PM
From: Carlos De La Rosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11
Hello Cochranes I have a question for you!
If we configure the stand-by publisher let's say after 10 mins the subscriber doesn't see the publisher because I do not know if there is a problem with the communication between clearpasses or if something happened to the VM. Let's say the subscriber takes the role of publisher. What happens when the original publisher gets back? and both are publishers??? that would not create a conflict. or what would happen here?
Original Message:
Sent: Jan 29, 2024 11:44 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11
Glad everything seems to have gone well so far!
We have the "Failover Wait Time" currently set to 30 minutes, although that adjustment from the default 10 mins, was made before I took charge of ClearPass so i unfortunately cannot explain why. I assume the hardware we are migrating from took longer then 10 mins to reboot so we wanted to prevent unwanted failover. Here is what I found on it below:
"Specify the time (in minutes) that the Standby Publisher server must wait before it assumes the role of Publisher after the primary Publisher server becomes unreachable. The default failover wait time is 10 minutes. This parameter prevents the Standby Publisher server from taking over when the Publisher is temporarily unavailable during a restart. . NOTE: Failover wait times vary based on the size of the data needing to synchronize, as well as the number of Subscribers that need to be checked. The failover wait time will never be less than 10 minutes and, depending on circumstances, can take longer."
About the Fail-Over ProcessThe Standby Publisher health-checks the primary Publisher server every 60 seconds by making an SQL call to the active Publisher. If this SQL call fails, after ten additional attempts (one per minute), the Standby Publisher begins the process of promoting itself to be the active Publisher server. The process used to verify the reachability of the remote Policy Manager servers uses an outbound call. As noted in Network Ports That Must Be Enabled, port 443/TCP must be open between all the servers in the cluster. Utilizing this HTTPS health check provides for a more robust and predictable failover process. When a Publisher failure is detected, the designated Subscriber server is promoted to active Publisher status. The other Subscriber servers automatically update and replicate their configuration with the new Publisher, which resolves the issue.
https://www.arubanetworks.com/techdocs/ClearPass/6.11/PolicyManager/Content/Deploy/Cluster%20Deployment/Standby_publisher.htm?Highlight=Failover%20Wait%20Time#Process |
I would be intersted to hear anyones informed perspective on this as well.
Original Message:
Sent: Jan 28, 2024 11:59 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11
Hello everyone
Thanks for all your feedback
It was really useful to me
It seems the upgrade went good, for now we are on monitoring but everything seems to be working fine
Thanks again!
Thanks for the tip cochranes i had that enable and i disabled as you said and didnt have any issue,i turned it back after the upgrade
Does aruba have recommended fail over time for that entry ?
Does anyone know?
Original Message:
Sent: Jan 26, 2024 11:06 AM
From: cochranes
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11
Hello,
I just went through this scenario of migrating to 6.11 while also moving from phyisical hardware to virtual. The process went smoothly until I went to add the subscriber back, and it refused with errors. The thing I didnt see in the instructions is that BEFORE YOU MAKE YOUR BACKUP you have to got to Administration>ServerMAnager>ServerConfig-and then click Cluster-Wide Parameters; select "StandBy Publisher" Tab, change "Enable Publisher Failover" to FALSE. This should not impact production. After that you can take the backup and the cluster will be able to reassemble successfully post upgrade.
Instructions I followed:
https://www.arubanetworks.com/techdocs/ClearPass/6.11/Installation-Guide/Content/UpgradeUpdate/Up-Installation-6-11-x.htm
Original Message:
Sent: Jan 25, 2024 09:47 AM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11
So you dont create a cluster in parallel?
i was thinking on doing thtat because i read about it
Wbat i dont understant is the backing up part because if you back up the publisher as it is, it will backup that he has a subcriber
if i join the subcriber later then it means that the subcriber that the publisher thinks that he has its not the subcriber and i have to put it toguether again
I though before of reading the article of aruba just breaking of the bluster and putting the 6.10 publisher alone back it up, and then in the 6.11 restore it and join a new subcriber with no config and build my cluster again and thats it. This is what you did? or whats stepts you fallow for your successfull upgrade?
Thanks
Original Message:
Sent: Jan 24, 2024 04:54 AM
From: St�phane LALARDIE
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11
Hi,
I will add some sub points from my 2 previous migrations:
3.1 take notes of the static routes you had manually add in CLI (they disapears when you touch the ip of CPPM)
3.2 Take notes of "server service" parametrers you change in each server of your cluster: they are not backuped
3.3 I'm not sure but take note of enabled certificates in trust list.
4.1 restore static routes and server parameters (and maybe trust list certificate you will use)
5.1 you can use same name if you can delete cppm's computer account in AD before joining the new one
8.1 license are in backup but plateform need to be add when you connect to GUI the first time
8.2 if you keep the same IP, licence are activated without issue, but if you changed them you need to open a support case
i would upload the backup in publisher on step 7 (get the license in it) and then add sunscriber
If it can help.
Regards,
------------------------------
StephaneLALARDIE
Original Message:
Sent: Jan 23, 2024 05:12 PM
From: cdelarosa
Subject: which is the easy way to upgrade a 6.10 cluster to 6.11
Hello i was wondering what would be the stepds to do this
I was thinking in something like this but still have some doubts i have never done this
Here is the list of things
Feel free to tell me if its the wrong way to do it or if there is a better way
1-We have to take a backup only from the publisher
2-We have to take a backup of the certificates
3-We have to take a backup of the licenses
4-Create 2 VMs with clearpass policy manager 6.11 and assign them with the same ip address that the 6.10 clearpass has( we konw we have to turn off the 6.10 clearpass at this point)
5-do the basic config( for the clearpass name we need to assign them a differene name right? because if i assign them the same name, we will have an issue with the AD??? or what we shoul do here?
6-join them in the domain
7-load them the certificates
8-load them the licenses( i will be able the activate the license even if i already activate the license in the old serer????)
9-build a cluster( and be sure that the even if the publisher reload the subcriber wont take over, as im not sure if when you upload the backup it reboots the publisher)
10-upload the backup to the publisher( i bealive here it will just send all the config it has to the subcriber
Any helps is appreciated
Thanks