topic Re: ISE upgrade in Network Security

ISE upgrade

asmlicense — Wed, 23 Nov 2022 11:38:18 GMT

Dears,

For now we are using 2.0 version. As I know we have to do these steps in order to get 2.7 and higher - 2.0-->2.2-->2.7

The question - is there any manipulations with licenses? I mean do we need to convert them to smart, or export and then import.

Maybe someone has detailed instruction or upgrade? We have only CLI access to server and the disk usage is 88%. Is there will be any problems with that?

I found this one:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/upgrade_guide/b_ise_upgrade_guide_22/b_ise_upgrade_guide_22_chapter_010.html

Re: ISE upgrade

Marvin Rhoads — Wed, 23 Nov 2022 12:15:43 GMT

What is your server - a VM or hardware appliance? There are restrictions on version support for older server hardware as well as changes in CPU and memory and disk requirements that affect your upgrade path.

The 2.0 PAK-based licenses are still usable on 2.7 - Smart licenses are only required as of 3.0 or later. However, if you are moving to a new server you would need to have them rehosted which requires TAC support.

Re: ISE upgrade

asmlicense — Wed, 23 Nov 2022 12:29:55 GMT

Hi Marvin,

We are using VM.

As I understand it is easier to up the new server because of different disk and CPU requirements.

Is there any tool to export configurations from 2.0 version (authentication rules, access lists, endpoint devices) and import them to a new 2.7 version?

Re: ISE upgrade

Milos_Jovanovic — Wed, 23 Nov 2022 13:20:59 GMT

Hi @asmlicense,

In theory, yes, it would be easier to build new VMs and to do backup/restore. However, when building new VMs, new PID (like SN) gets generated, and license rehosting is required. Given that you are running ISE v2.0 which is EoL, I'm not sure that ou would be able to do rehosting (might be possible, but can't be sure), and I believe this is what @Marvin Rhoads mentioned.

There was big change in ISE somewhere around v2.3 if I'm not mistaken, where Policy Sets were activated by default (if not activated before), and all configuration was migrated to new model. This usually means that you need to go and tweak policies and configuration, as ISE tends to mess it up, by addind bunch of unneeded configuration.

There is possibility to export certain parts of ISE config (like users or network devices), but not all of it. For this, you could use API, but I can't tell to which extent, as I'm unfamiliar with API in v2.0.

I would proceed with inline upgrade (with bunch of safety nets around it), untill I get to a supported version. You also need to bare in mind that you'll need to increase HW resources once on newer version, so count on that too. Finally, don't forget to ask for Cisco SKU upgrade, so you can actually purchase Cisco services, as I would assume this SKU is EoL, and would not be able to purchase support as of today.

Kind regards,
Milos

Re: ISE upgrade

Marvin Rhoads — Wed, 23 Nov 2022 14:23:26 GMT

If you are starting with ISE 2.0, you would first need to upgrade to ISE 2.4 and then to 2.7. You would backup your ISE 2.0 configuration (easiest from the cli since 2.0 GUI uses Flash which is unsupported on all modern browsers) and restore it onto a new 2.4 VM.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/Upgrade_Journey/b_upgrade_overview_2_4.html#LicensingNew24

Then back the 2.4 ISE and restore onto a 2.7 VM. (Some people also recommend patch 2.4 before doing the backup.)

Once you have restored on to the 2.7 VM, it should be patched to the latest patch (currently Patch 8).

If you have a multi-node deployment, the instructions for the whole process are summarized here:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/HTML/b_upgrade_method_2_7.html#id_119627

You will need to get Cisco TAC (licensing team) to issue your VM licenses. They will ask for your original PAK or Sales Order (SO) number to verify your entitlement.