topic ISE upgrade in Network Access Control

ISE upgrade

atif.mohamed — Fri, 21 Feb 2020 18:56:51 GMT

Hi Techies,

I am planning to upgrade my huge deployment 24 PSN's + 2 MNT + 2 AN from 2.0.0.306 to probably 2.4 , these are all physical appliances. Last time about year ago when i tried to upgrade to 2.1 i failed miserably with range of issues like Replication error, Oracle SGA value error etc.

Has anyone attempted upgrade of this nature/ please advise me how to go ahead with successfull upgrade , what should be my strategy without affecting my major services like VPN, TACACS etc

Re: ISE upgrade

Arne Bier — Thu, 24 May 2018 01:20:05 GMT

I feel your pain!

I would start by installing the ISE 2.4 URT (Upgrade Readiness Tool) on your Secondary PAN node and then seeing what it thinks. It analyses the state of your deployment and also gives predictions of how much time it will take to perform upgrade per node.

The URT is a good start as a sanity check of the database. Highly recommended, no matter which steps you follow next. You could either

1) Follow the upgrade path ... or

2) Rebuild each server from the .iso

I think the only clean approach is method 2. We do it all the time because of the misery of an upgrade procedure. In the VM world this is quite simple. In your case, it might require some work via the CIMC and vKVM etc - but ultimately it's possible.

Here are the high level steps

1) Make a config backup on your repository

2) Reboot your Secondary PAN using ISE 2.4 .iso - perform a fresh install of ISE 2.4

3) Restore the config backup onto this STANDALONE node

4) Make that node Primary, thus creating the foundation of your new ISE deployment.

5) Reboot your Secondary MnT using ISE 2.4 .iso - perform a fresh install of ISE 2.4

6) Register that MnT to your new PAN

7) Reboot a chosen PSN using ISE 2.4 .iso - perform a fresh install of ISE 2.4

😎 Register that PSN to new 2.4 deployment.

9) Stop and test with a few NAS's to see if that PSN works as expected

10) Continue with rest of PSN's

11) Finally convert the last MnT node, and then if you are REALLY happy to proceed, then rebuild the remaining PAN node. Then all will be freshly built and registered to ISE 2.4 deployment

Keep in mind that patch 1 is not out yet. I suspect that ISE 2.4 is riddled with bugs - but as they say, "it depends" on what you're doing with ISE. Cisco message these days is that ISE 2.2 is the "stable release" - and they are aiming that ISE 2.4 will be the next stable release. They don't justify their comments. You have to read between the lines.

I am on 2.3 so I guess I pulled the short straw...

Re: ISE upgrade

Marvin Rhoads — Thu, 24 May 2018 03:03:38 GMT

Whie there are no "show stopper" bugs identified in ISE 2.4 at this time, customer deployments are limited. I'd wait until 2.4 Patch 1. We should see it released in the next couple of weeks.

Re: ISE upgrade

AlexPi — Thu, 24 May 2018 10:24:00 GMT

I would suggest to go for 2.3 Patch 3, instead of 2.4, for now at least.

Re: ISE upgrade

ajc — Thu, 24 May 2018 16:27:38 GMT

My 2 cents.

I have a 14 appliances deployment (highly recommended to use 3595 as PRIM/SEC PAN-MNT) and I would do exactly what Arne said about reimaging the boxes (like a fresh install) using CIMC/ISO (Daemon Tools Lite is the app that I have been using for the Virtual DVD Disk creation running the mapped ISO file) so there is no issue regarding the upgrade process.

I am not going to provide details BUT I would not go with 2.2 version at all.