07-05-2025 02:21 AM
Hi All,
Just wanted to ask of direct upgrade ISE 3.0 to 3.4 is now supported and possible? I've run URT and able to get success but I am not sure if direct upgrade is now fine.
07-05-2025 03:25 AM
No its not straight upgrade you need to follow the upgrade process. depends on what model of appliance or VM you are using ?
also important what kind of deployment, if you have distributed deployment, you can split the upgrade so you have less downtime.
check the upgrade journey :
there is good presentation of Live guide you mastering ISE Upgrade :
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-2889.pdf
Note : Some of the security features are changed, if you using any OLD Wireless device with TPM they may break, so check one of node upgrade and test all working before you move to other nodes is advised here.
07-05-2025 04:06 AM - edited 07-05-2025 04:11 AM
Thank you, only tested upgrading our test ISE from 3.0 to 3.4 though have not tested yet on live environment or clients.
If I only upgrade from 3.0 to 3.3 do I need to test first? Like for Wireless with TPM? Or it is a direct upgrade and I can just run the usual URT and Health checks before upgrade? We are running a small ISE Deployment, 2 nodes acting as Primary and Secondary.
07-05-2025 07:11 AM
You can do inline upgrade from 3.0 to 3.3, then inline from 3.3 to 3.4 ..
Upgrade one of the two node inline from 3.0 to 3.3, then run some tests by removing the other ISE Node (which is still running 3.0) from the list of TACACS and/or RADIUS Servers of your devices like e.g. a couple of switches where you can easily test Dot1X and stuff.
If all is good, then ugrade the second node also to 3.3 ..
Then run tests again, then follow the same procedure for the inline upgrade from 3.3 to 3.4
BR
Jules
07-05-2025 10:24 AM
Personally Upgrade to 3.3 one of the secondary and do the testing point to that, then upgrade other one to 3.3
then start over again with 3.4 same procedure, ISE Upgrade is not easy if you have large client base, so make sure all dependency service ready to test and monitor.
07-05-2025 03:49 AM
Like @balaji.bandi mentioned, no.
You'll have to go to 3.3 first, then to 3.4 ..
Maybe upgrade one admin node and and one PSN, test everything thouroughly before proceeding.
BR
Jules
07-05-2025 04:05 AM - edited 07-05-2025 04:11 AM
Thank you, only tested upgrading our test ISE from 3.0 to 3.4 though have not tested yet on environment or clients.
If I only upgrade from 3.0 to 3.3 do I need to test first? Like for Wireless with TPM? Or it is a direct upgrade and I can just run the usual URT and Health checks before upgrade? We are running a small ISE Deployment, 2 nodes acting as Primary and Secondary.
07-05-2025 04:53 PM
One more question,
I see that after the upgrade need to upgrade the Guest OS, is that required? Or just recommended and can be skipped?
07-06-2025 12:57 AM
You mean underlay OS RHEL, that is need to be upgraded part of upgrade again depends VM / appliance and version of ISE.
07-06-2025 02:08 AM
The underlying OS of ISE, which is a Red Hat Enterprise Linux (RHEL), is automatically upgraded within the upgrade process.
I think this is what you mean:
E.g. if you have ISE running as VM inside a VMWare Setup, vCenter needs you to choose which OS is running on the VM. This setting is called "Guest OS".
And yes, once upgrading to ISE 3.1 or above you will need to change this setting to "RHEL 8", as the installation guide suggests:
From the Guest OS Version drop-down list, choose the supported Red Hat Enterprise Linux (RHEL) version. Cisco ISE Release 3.1 and later use RHEL 8.
Hope that helps.
BR
Jules
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide