cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
285
Views
2
Helpful
9
Replies

ISE Upgrade 3.0 to 3.4

mics
Level 1
Level 1

Hi All,

 

Just wanted to ask of direct upgrade ISE 3.0 to 3.4 is now supported and possible? I've run URT and able to get success but I am not sure if direct upgrade is now fine.

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

No its not straight upgrade you need to follow the upgrade process. depends on what model of appliance or VM you are using ?

also important what kind of deployment, if you have distributed deployment, you can split the upgrade so you have less downtime.

 

check the upgrade journey :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/upgrade_guide/Upgrade_Journey/Cisco_ISE_3-4_Upgrade_Journey.html

there is good presentation of Live guide you mastering ISE Upgrade :

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-2889.pdf

Note : Some of the security features are changed, if you using any OLD Wireless device with TPM they may break, so check one of  node upgrade and test all working before you move to other nodes is advised here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you, only tested upgrading our test ISE from 3.0 to 3.4 though have not tested yet on live environment or clients.

If I only upgrade from 3.0 to 3.3 do I need to test first? Like for Wireless with TPM? Or it is a direct upgrade and I can just run the usual URT and Health checks before upgrade? We are running a small ISE Deployment, 2 nodes acting as Primary and Secondary.

You can do inline upgrade from 3.0 to 3.3, then inline from 3.3 to 3.4 ..

Upgrade one of the two node inline from 3.0 to 3.3, then run some tests by removing the other ISE Node (which is still running 3.0) from the list of TACACS and/or RADIUS Servers of your devices like e.g. a couple of switches where you can easily test Dot1X and stuff.
If all is good, then ugrade the second node also to 3.3 ..

Then run tests again, then follow the same procedure for the inline upgrade from 3.3 to 3.4  

BR
Jules

Personally Upgrade to 3.3 one of the secondary and do the testing point to that, then upgrade other one to 3.3

then start over again with 3.4 same procedure, ISE Upgrade is not easy if you have large client base, so make sure all dependency service ready to test and monitor.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

julian.bendix
Level 4
Level 4

Like @balaji.bandi mentioned, no.

You'll have to go to 3.3 first, then to 3.4 ..

Maybe upgrade one admin node and and one PSN, test everything thouroughly before proceeding.

BR
Jules

Thank you, only tested upgrading our test ISE from 3.0 to 3.4 though have not tested yet on environment or clients.

If I only upgrade from 3.0 to 3.3 do I need to test first? Like for Wireless with TPM? Or it is a direct upgrade and I can just run the usual URT and Health checks before upgrade? We are running a small ISE Deployment, 2 nodes acting as Primary and Secondary.

mics
Level 1
Level 1

One more question,

I see that after the upgrade need to upgrade the Guest OS, is that required? Or just recommended and can be skipped?

You mean underlay OS RHEL, that is need to be upgraded part of upgrade again depends VM / appliance and version of ISE.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The underlying OS of ISE, which is a Red Hat Enterprise Linux (RHEL), is automatically upgraded within the upgrade process.

I think this is what you mean:
E.g. if you have ISE running as VM inside a VMWare Setup, vCenter needs you to choose which OS is running on the VM. This setting is called "Guest OS".

And yes, once upgrading to ISE 3.1 or above you will need to change this setting to "RHEL 8", as the installation guide suggests:

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_4.html#cpp_n2s_rdb

  1. From the Guest OS Version drop-down list, choose the supported Red Hat Enterprise Linux (RHEL) version. Cisco ISE Release 3.1 and later use RHEL 8.

Hope that helps.

BR
Jules