Cisco ISE Upgrade from 2.2 P9 to 2.4 p6 (Distributed Deployment )

aslam.bajwa — Tue, 05 Mar 2019 13:37:02 GMT

Hi All ,

i have cisco ISE 2.2 P9 and because of lots of bugs we need to upgrade it .

Deployment Scenario :

Site A

Primary PAN

Primary MnT

Primary PSN

DR Site B (Connected Over WAN)

Secondary PAN

Secondary MnT

Secondary PSN

Note : all nodes are on Different VMs

after reading the cisco DOC , my understanding is to Start Upgrade with :

First Secondary Admin Node

2nd Secondary Monitoring node

3rd Secondary PSN

4th Primary PSN

5th Primary Monitoring

6th Primary Admin Node

***my question is if i am doing GUI - based upgrade , i have to download Ise-Upgradebundle on all nodes or

or only one node ?

*** if admin node is in ver 2.4 and Policy node is in ver 2.2 , there will be communication between them ?

*** is there any change in Licensing ?

Please Advise

Thank you

Re: Cisco ISE Upgrade from 2.2 P9 to 2.4 p6 (Distributed Deployment )

Damien Miller — Tue, 05 Mar 2019 22:38:21 GMT

Your server upgrade order looks good, no issue there. As for your other questions.

The ISE upgrade package has to be downloaded to every node, if using the GUI to upgrade the deployment this is done during the pre upgrade tasks and often times out if there is a slow wan link. For most upgrades we create a repository for disk:/ and manually copy the upgrade bundle to each servers disk:/ before starting.

During the upgrade, the secondary PAN that upgrades from 2.2 to 2.4 first, will then become the primary admin node in the 2.4 deployment. While upgrading you have two separate ISE deployments, one running 2.2 and a new one running 2.4, there is no communication between these two. When the secondary MNT and PSN upgrade, they will register with the 2.4 PAN.

2.2 to 2.4 includes VM license changes. You will have to email Cisco your Cisco sales order number where you originally purchased the RTU ISE vm's. The BU will issue new medium VM licenses for you to install on the 2.4 deployment. You can do this before or after the upgrade with no impact other than a nag message on the dashboard. Read about it here.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/213171-ise-2-4-upgrade-alarms-fewer-vm-license.html
"If you are planning to upgrade to Release 2.4, contact ise-vm-license@cisco.com with sales order numbers that include VM purchase to procure one medium VM license for each VM previously purchased. You should also include your CCOID along with the sales order number."

One additional side note, I tend to prefer upgrading via the CLI because you have control over the process. When you upgrade from the GUI, I find that nodes will start too soon after the previous, and you have no way to pause and test. If you do this manually you will be able to upgrade the PAN/MNT/first PSN, test, then continue or roll back. Also, make sure you have run the URT bundle to rule out any major issues upgrading.

topic Cisco ISE Upgrade from 2.2 P9 to 2.4 p6 (Distributed Deployment ) in Network Access Control

Cisco ISE Upgrade from 2.2 P9 to 2.4 p6 (Distributed Deployment )

Re: Cisco ISE Upgrade from 2.2 P9 to 2.4 p6 (Distributed Deployment )