https://community.cisco.com/t5/network-access-control/upgrade-ise-2-3-to-2-4-new-hw/m-p/3956870#M455747 <P>Hi team</P><P>&nbsp;</P><P>I planning the upgrade from ise 2.3 to ise 2.4 in a two nodes deployment to a new HW. Already read the upgrade document and I think this is the procedure.</P><P>&nbsp;</P><P>ise01a = ise 2.3 primary node (3415)</P><P>ise02a = ise 2.3 secondary node&nbsp;(3415)</P><P>ise01b = ise 2.4&nbsp;(3655)</P><P>ise02b = ise 2.4&nbsp;(3655)</P><P>&nbsp;</P><P>1.- Take a configuration and operation backup from ise01a, also the show run from ise01a and ise02a</P><P>2.- Export the certificate from ise01a</P><P>3.- Deregister ise02a from 2.3 deployment.</P><P>4.- Shutdown&nbsp;ise02a</P><P>5.- Power on ise02b (the appliance already have the version 2.4 patch 10 loaded)</P><P>6.- Load the show run from ise02a to ise02b&nbsp;</P><P>7.- Restore the ise02b from configuration/operational backup from ise01a</P><P>8.- Importe the certificate from ise01a</P><P>9.- Assign at ise02b as primary node.</P><P>10.- Shutdown ise01a</P><P>11.-&nbsp;Power on ise01b&nbsp;(the appliance already have the version 2.4 patch 10 loaded)</P><P>10.-&nbsp;Load the show run from ise01a to ise01b&nbsp;</P><P>11.-&nbsp;Restore the ise01b from configuration/operational backup from ise01a</P><P>12 .-&nbsp;Assign at ise02b as secondary node.</P><P>13.- change the ise01b as primary and ise02b as secondary</P><P>&nbsp;</P><P>I'm ok with the procedure?</P><P>&nbsp;</P><P>Regards.</P><P>&nbsp;</P> Mon, 11 Nov 2019 22:12:57 GMT Servicio Tac 2019-11-11T22:12:57Z https://community.cisco.com/t5/network-access-control/upgrade-ise-2-3-to-2-4-new-hw/m-p/3956870#M455747 <P>Hi team</P><P>&nbsp;</P><P>I planning the upgrade from ise 2.3 to ise 2.4 in a two nodes deployment to a new HW. Already read the upgrade document and I think this is the procedure.</P><P>&nbsp;</P><P>ise01a = ise 2.3 primary node (3415)</P><P>ise02a = ise 2.3 secondary node&nbsp;(3415)</P><P>ise01b = ise 2.4&nbsp;(3655)</P><P>ise02b = ise 2.4&nbsp;(3655)</P><P>&nbsp;</P><P>1.- Take a configuration and operation backup from ise01a, also the show run from ise01a and ise02a</P><P>2.- Export the certificate from ise01a</P><P>3.- Deregister ise02a from 2.3 deployment.</P><P>4.- Shutdown&nbsp;ise02a</P><P>5.- Power on ise02b (the appliance already have the version 2.4 patch 10 loaded)</P><P>6.- Load the show run from ise02a to ise02b&nbsp;</P><P>7.- Restore the ise02b from configuration/operational backup from ise01a</P><P>8.- Importe the certificate from ise01a</P><P>9.- Assign at ise02b as primary node.</P><P>10.- Shutdown ise01a</P><P>11.-&nbsp;Power on ise01b&nbsp;(the appliance already have the version 2.4 patch 10 loaded)</P><P>10.-&nbsp;Load the show run from ise01a to ise01b&nbsp;</P><P>11.-&nbsp;Restore the ise01b from configuration/operational backup from ise01a</P><P>12 .-&nbsp;Assign at ise02b as secondary node.</P><P>13.- change the ise01b as primary and ise02b as secondary</P><P>&nbsp;</P><P>I'm ok with the procedure?</P><P>&nbsp;</P><P>Regards.</P><P>&nbsp;</P> Mon, 11 Nov 2019 22:12:57 GMT https://community.cisco.com/t5/network-access-control/upgrade-ise-2-3-to-2-4-new-hw/m-p/3956870#M455747 Servicio Tac 2019-11-11T22:12:57Z https://community.cisco.com/t5/network-access-control/upgrade-ise-2-3-to-2-4-new-hw/m-p/3956906#M455749 <P>I think you may face an issue with</P> <P>7.- Restore the ise02b from configuration/operational backup from ise01a</P> <P>8.- Importe the certificate from ise01a</P> <P>&nbsp;</P> <P>When you restore the config backup onto ise02b, then the node should also get the certificate that you had on ise02a, and not ise01a - the FQDN on ise02b must match the Subject Common name of the Admin cert (or ... unless you have a wildcard cert or Multi-Domain Cert, then ignore what I have said - but check you Admin cert to ensure it will match the node's FQDN)</P> <P>&nbsp;</P> <P>Step 11 is not correct</P> <P>11.-&nbsp;Restore the ise01b from configuration/operational backup from ise01a</P> <P>You don't restore the config - you need to register the secondary node to the primary. Once done, the Secondary sync's up with the Primary.</P> <P>&nbsp;</P> <P>This step happens during the registration phase.</P> <P>12 .-&nbsp;Assign at ise02b as secondary node.</P> <P>&nbsp;</P> <P>So I would say steps 11 and 12 would look like this</P> <P>11. Install Cert Chain (Trusted Certs) for the Admin cert you're going to use. Then import the Admin cert from ise01a</P> <P>12. From ise02b Register the new node ise02a and assign it the Secondary roles (Admin/MnT) and all the other stuff like Policy etc.</P> <P>&nbsp;</P> <P>This is a very condensed version. There are many moving parts but you're on the right track.</P> <P>&nbsp;</P> <P>I normally don't migrate certs from old system to new system. I would create a CSR on each node and have new certs created.&nbsp;</P> Tue, 12 Nov 2019 00:32:01 GMT https://community.cisco.com/t5/network-access-control/upgrade-ise-2-3-to-2-4-new-hw/m-p/3956906#M455749 Arne Bier 2019-11-12T00:32:01Z https://community.cisco.com/t5/network-access-control/upgrade-ise-2-3-to-2-4-new-hw/m-p/3957279#M455751 <P>Thanks for your anwser</P><P>&nbsp;</P><P>The idea it's have the lowest impact to the end user, that why we want export the certificates to the 2.3 to 2.4</P><P>&nbsp;</P><P>Your are right with the Certificate and FQDN... May be an option start with the procedure with the node ise01a to ise01b</P><P>&nbsp;</P><P>Regards.</P> Tue, 12 Nov 2019 14:23:43 GMT https://community.cisco.com/t5/network-access-control/upgrade-ise-2-3-to-2-4-new-hw/m-p/3957279#M455751 Servicio Tac 2019-11-12T14:23:43Z