For what it's worth, if you build your VM's using the ISO, then all is fine.  Personally, I would not use OVA's until Cisco start making them compliant with vSphere 6.5 - I am surprised that this is still not fixed.

I have built a few deployments now and a 4 vCPU, 16GB RAM system is considered as small.

labise001/admin# tech mpstat

Linux 3.10.0-693.el7.x86_64 (labise001)     06/13/2018      _x86_64_        (4 CPU)

labise001/admin# show memory

total memory:   16268088 kB

Regarding the bug id, not sure what OVA's have to do in the context of SNS-35xx ?  Why should it matter who the server vendor is when deploying an OVA?

Yes, you have complete control with iso install, but there is always a trade off with simplicity.  With OVAs, Customer should not need to know details of how To set reservations or other custom settings.

As noted, there is a difference between platform detection for sizing services within ISE and the license detect and validation logic.  To determine which platform ISE has matched to the VM, you need to find platform property in ‘she tech support’ or under the ISE reports for counters (Under Diagnostics reports).

The OVAs are all based on the hardware appliances, so that is the relationship to the 3595.  Yes, you can deploy that OVA on any supported hypervisor and server, but OVA allocations still based on 35x5 series.

Licensing is separate logic currently and so anything up to the size of a small ISE hardware appliance will require Small VM license.  However, that 16GB box with 4 CPUs should be seen by ISE as an Eval unit under ISE 2.4 and as a UCS_Small (3415) under versions 2.3 and lower.

Craig

Perfect, thanks for the quick answer Craig, hope this will get addressed quickly.

Highly recommend to attend Craig's Advanced ISE Services, Tips and Tricks [BRKSEC-3697] session that answers some this stuff.

For those who cannot attend, download the preso here - it has loads of useful info on ISE 2.4 as well

https://clnv.s3.amazonaws.com/2018/usa/pdf/BRKSEC-3697.pdf

The part that's unclear from the chyps presentation, is how 'Platform Profile' translates to VM licenses at the end of the day.

The word small/medium/large is bandied about, but I don't see what relevance this has when needing to figure out what license I need.  I suspect I will run into the same bug here, because my ISE 2.3 (64GB RAM, 8 cores, no hyper-threading, VMWare install) is showing up as UCS_LARGE.  I built that node from an ISO.  Is the bug just in the OVA version?   Do I need the Large VM license or the Medium VM license?

I find this ISE VM licensing an utter shambles to be honest.  Wasting time and effort for extra $$ extraction and then not even getting it right in the first place. Customers spend enough money beefing up their hypervisors, and now they have to pay another tax for the privilege of using their expensive hardware.  The old ISE VM license was fine.  The software should cost the same regardless of how you deploy it.

Arne,

Many thanks for the promotion of the Live session!

Regarding the licensing questions, we appreciate the feedback and will certainly make sure product management is made aware to respond accordingly. This week is a bit hectic due to Cisco Live where we dedicate 100% of time to attending customers.

Per the chart, a machine with 64GB RAM and 8  cores without hyperthreading will be detected by ISE as a UCS_Large.  However, that will not translate to a Large VM license even though the original platform name states Large.  For starters, the 34x5 series is no longer supported under ISE 2.4 where this license really starts to be tracked and new rules for sizing apply.  We are also changing the classification for Small / Medium / Large for 35x5 series at same time as the classifications of Small, Large, Super would have created even more confusion in longer term.  There is no plan to introduce a 3595 hardware appliance with 256GB RAM at this time, but to provide only a VM option of what is now termed a "Large" appliance. 

In your example, if hyperthreading is enabled and you allocate the resulting 16 processors that emanate from the physical cores, then ISE should detect as an SNS_3595.  This is important to ensure proper table space and other parameters are set based on available resources.  The defect with OVA is that they are allocating only 8 processors which translates to 4 physical cores when HT enabled.

Regards,

Craig

Hi chyps

I had a feeling this would happen.  Finally got around to sorting out the licensing today after upgrading from ISE 2.3 to 2.4

My ISE 2.4 patch 1 deployment says it requires a Large VM license - we only have Medium licences, which I believe is the correct VM license???  We built all 8 nodes from .iso

I have 8 cores with hyper-threading (show cpu command output lists 16 processors)

I have 64GB of RAM.

The profile is SNS_3595

Which license does one need for this system?

A bit more detail from the on-premise Satellite Server

And finally, from the Smart Licensing Portal

A standard SNS-3595 is the new Medium appliance so you should be covered.   As noted, I made product management aware of issue and expressed my recommendations, but team members responsible for Licensing were extremely busy at Cisco Live this past week.  Hoping they can get this sorted out this week.

Thanks for checking.  I will open a TAC case tomorrow and see what they say.  But please keep us informed on this thread too.

We created our ISE VMWare VM's with 16 CPU's.  ISE sees 16 CORES in the show-tech (and Linux also sees 16 CPU's).

CPU != CORE

Cisco documentation confusing and misleading because of the terminology, and due to the implication of Hyper-Threading being thrown into the discussion, there is a false assertion below that 8 Cores * 2 = 16 VM CPU's.  Intel's Hyper-Threading is not relevant at a Hypervisor hardware abstraction layer.

"CPU != CORE"

Correct.  And that is message which has been delivered in BRKSEC-3699 for past 3+ years!

And whether technically accurate or not, I will refrain from introducing yet another set of terminology to refer to CPUs/processors as these terms are not what the admin will see in ISE/VMware interface.

COMMENT: "...there is a false assertion below that 8 Cores * 2 = 16 VM CPU's.  Intel's Hyper-Threading is not relevant at a Hypervisor hardware abstraction layer."

RESPONSE: If you do not enable HT in BIOS and in hypervisor, then you will be forced to purchase and assign double the physical cores to be properly matched to desired platform, and that is why HT must be enabled.

At the end of the day, all the ISE guest VM sees is what has been assigned to it--whether those be non-hyperthreaded or hyperthreaded cores.

• If have a server with 8 cores and assign all available cores without HT, then ISE VM will see only 8.
• If have a server with 8 cores and assign all available cores with HT, then ISE VM will see 16 processors.
• If logic based on 8 cores, then it is possible for admin to enable HT and assign 8 processors to each.  If proper reservations applied, then this would cause one VM to fail to start.

COMMENT: "In our case we typed 16 CPU into VMWare but underlying that is 8 Intel cores with HT enabled. Thus presenting 16 CPU’s to Linux. Does that mean we need to have a Large ISE license?"

RESPONSE:  As explained previously, NO. This config represents a Medium appliance (assuming you have also allocated 64GB RAM).  If ISE sees 16 processors and 256GB RAM, then it is a Large.

I understand the logic is not perfect and my goal here is to simply explain the current logic.  I also met with the PM team again yesterday and we are in sync that Licensing logic needs to simply follow the logic ISE uses to determine if a VM matches the specs of an SNS-3515 (Small), an SNS-3595-64GB (Medium), or SNS-3595-256GB (Large). This will likely need to be resolved in a patch, but no specific timeline set as we just reached consensus on issue to resolve.

Again, goal here is to clarify logic, not debate its merits and caveats.  If feel additional resolution or change is required, then that will be a business discussion.  Please work with Cisco partner/customer account team to request enhancement to the ISE Product Management team.

Regards,

Craig

Thanks Craig and I agree with your explanation about HT.

I would argue that our 8-HT cores are < 16 non-HT cores and therefore we are not a large VM case.

Bit where does that leave our prod deployment? Do we need to rebuild all servers with 4HT cores?

IF we shut down the VMs as is and reduce VM CPU count to 8, won’t the system still be sized for large when system restarts?

AWaiting TAC response on this but perhaps you also have some insights/advice. A complete rebuild is not fun.

The Licensing issue has been acknowledged and needs to be addressed in patch.

If ISE VM sees 16 processors and 64GB RAM and min 200GB disk, ISE should show the Platform Property as SNS_3595 = Medium VM License.  Until patched, you will get warnings.

If assign 4HT cores and ISE sees 8 processors, then you will be detected as EVAL under ISE 2.4 and require the minimum Small VM licenses.  Under earlier ISE versions, the node will likely be detected as a 3495 if 32GB RAM provisioned.  However, that is technically < 8 cores that 3495 actually has.  This is a caveat in pre-2.4 logic where a mix of appliances with and without HT assumptions.

TAC cannot help other than to be made aware of the issue and file a bug to which cases can be assigned, and the eventual patch be mapped against.

For any previous deployment of 3595 OVA (prior to newly posted versions), it is necessary to shut down VM and allocate the correct number of processors.  The additional processors should be detected on boot and reflected in the 'sh tech' output, or ISE Counters report in Admin UI.