Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
2
Helpful
9
Replies

ISE Upgrade 3.0 to 3.4

mics
Level 1
Level 1

‎07-05-2025 02:21 AM

Hi All,

 

Just wanted to ask of direct upgrade ISE 3.0 to 3.4 is now supported and possible? I've run URT and able to get success but I am not sure if direct upgrade is now fine.

Labels:
0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2025 03:25 AM

No its not straight upgrade you need to follow the upgrade process. depends on what model of appliance or VM you are using ?

also important what kind of deployment, if you have distributed deployment, you can split the upgrade so you have less downtime.

 

check the upgrade journey :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/upgrade_guide/Upgrade_Journey/Cisco_ISE_3-4_Upgrade_Journey.html

there is good presentation of Live guide you mastering ISE Upgrade :

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-2889.pdf

Note : Some of the security features are changed, if you using any OLD Wireless device with TPM they may break, so check one of  node upgrade and test all working before you move to other nodes is advised here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mics
Level 1
Level 1
In response to balaji.bandi

‎07-05-2025 04:06 AM - edited ‎07-05-2025 04:11 AM

Thank you, only tested upgrading our test ISE from 3.0 to 3.4 though have not tested yet on live environment or clients.

If I only upgrade from 3.0 to 3.3 do I need to test first? Like for Wireless with TPM? Or it is a direct upgrade and I can just run the usual URT and Health checks before upgrade? We are running a small ISE Deployment, 2 nodes acting as Primary and Secondary.

0 Helpful

julian.bendix
Level 4
Level 4
In response to mics

‎07-05-2025 07:11 AM

You can do inline upgrade from 3.0 to 3.3, then inline from 3.3 to 3.4 ..

Upgrade one of the two node inline from 3.0 to 3.3, then run some tests by removing the other ISE Node (which is still running 3.0) from the list of TACACS and/or RADIUS Servers of your devices like e.g. a couple of switches where you can easily test Dot1X and stuff.
If all is good, then ugrade the second node also to 3.3 ..

Then run tests again, then follow the same procedure for the inline upgrade from 3.3 to 3.4  

BR
Jules

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to mics

‎07-05-2025 10:24 AM

Personally Upgrade to 3.3 one of the secondary and do the testing point to that, then upgrade other one to 3.3

then start over again with 3.4 same procedure, ISE Upgrade is not easy if you have large client base, so make sure all dependency service ready to test and monitor.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

julian.bendix
Level 4
Level 4

‎07-05-2025 03:49 AM

Like @balaji.bandi mentioned, no.

You'll have to go to 3.3 first, then to 3.4 ..

Maybe upgrade one admin node and and one PSN, test everything thouroughly before proceeding.

BR
Jules

mics
Level 1
Level 1
In response to julian.bendix

‎07-05-2025 04:05 AM - edited ‎07-05-2025 04:11 AM

Thank you, only tested upgrading our test ISE from 3.0 to 3.4 though have not tested yet on environment or clients.

If I only upgrade from 3.0 to 3.3 do I need to test first? Like for Wireless with TPM? Or it is a direct upgrade and I can just run the usual URT and Health checks before upgrade? We are running a small ISE Deployment, 2 nodes acting as Primary and Secondary.

0 Helpful

mics
Level 1
Level 1

‎07-05-2025 04:53 PM

One more question,

I see that after the upgrade need to upgrade the Guest OS, is that required? Or just recommended and can be skipped?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to mics

‎07-06-2025 12:57 AM

You mean underlay OS RHEL, that is need to be upgraded part of upgrade again depends VM / appliance and version of ISE.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

julian.bendix
Level 4
Level 4
In response to mics

‎07-06-2025 02:08 AM

The underlying OS of ISE, which is a Red Hat Enterprise Linux (RHEL), is automatically upgraded within the upgrade process.

I think this is what you mean:
E.g. if you have ISE running as VM inside a VMWare Setup, vCenter needs you to choose which OS is running on the VM. This setting is called "Guest OS".

And yes, once upgrading to ISE 3.1 or above you will need to change this setting to "RHEL 8", as the installation guide suggests:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_4.html#cpp_n2s_rdb

  1. From the Guest OS Version drop-down list, choose the supported Red Hat Enterprise Linux (RHEL) version. Cisco ISE Release 3.1 and later use RHEL 8.

Hope that helps.

BR
Jules

0 Helpful
Customers Also Viewed These Support Documents