Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
8
Replies

Cisco ISE upgrade 2.1 to 2.4 patch 5

Go to solution
Ruelb2214
Level 1
Level 1

‎05-23-2019 06:58 PM

Guys,

 

Need your input if our idea is correct.

 

In our production we have ISE running primary(ISE1)and secondary(ISE2), we plan to upgrade to 2.4 doing this steps.

 

1.do upgrade through web ui, but under the sequence we will select only ISE2, we plan to upgrade ISE2 to 2.4 first, after success upgrade we will disconnect ISE1 from network then we test the ISE2 functionality and make sure everything working.

BUT will ISE2 auto promote as Primary after upgrade and will ISE1 be acting Secondary even not upgraded to 2.4 before we disconnect from network.

 

2.After verifying ISE2 2.4 working, we will proceed upgrade ISE1 to 2.4 after 2days and connect it to network, any issue foreseen issue?

 

do you have other approach compare to our idea?

much thanks guys!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Ruelb2214

‎05-24-2019 09:03 AM

Endpoints will remain authorized, if there are reauth timers on the switch that expire or the endpoint restarts while the original authenticating node is down, then they will reauth against the other.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎05-23-2019 07:49 PM

I can't comment on the process you're proposing as I have never tried it myself. I will however identify a bug that impacts 2.1 GUI upgrades. You need to ensure that both nodes have the exact same patches applied.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz23479/

Are you running on SNS appliances or VM's, the guidance and options will differ slightly.
0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1
In response to Damien Miller

‎05-23-2019 08:13 PM

We are running on SNS appliances.

 

Most of the guides i search was just proceed upgrade secondary and backup, i have not seen the same approach as ours. 😕

0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1
In response to Damien Miller

‎05-23-2019 08:14 PM

We are running on SNS appliances.

Most of the guides i search was just proceed upgrade secondary and backup, i have not seen the same approach as ours. 😕
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Ruelb2214

‎05-23-2019 10:38 PM

Just to confirm then, are you on 2.4 supported SNS 3515/3595 appliances?

The common practice is to start with upgrading the secondary as you suggested. When you run the upgrade the secondary it will become the primary PAN and MNT. At the same time, the old 2.1 primary will remain as is, primary but with 2.1 running, these two nodes will not be communicating with one another. How you handle the upgrade of both nodes is certainly optional. For simplicity sake, upgrading in place like you suggested will be fine.

Make sure you run the upgrade readiness tool on the secondary before and correct any issues it identifies. I would recommend the in place CLI method only because I know it will work as you need. Specifically read the section titled "Upgrade a Two-Node Deployment", it's a three step procedure.

2.4 CLI upgrade procedure
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_011.html

URT steps
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_01.html#urt
0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1
In response to Damien Miller

‎05-23-2019 11:01 PM

We running now 2.4 3595 appliance.

Yes will run the upgrade in CLI.
But what I know if you have two nodes running diffirent version acting both Primary they wont communicate each other, BUT on the endpoint perspective where are they going to auth, will it be under 2.1 or 2.4 version, given both server ip are configure in switches!
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Ruelb2214

‎05-24-2019 12:02 AM

Both the 2.1 and 2.4 nodes will authenticate endpoints when the services are up.  During the upgrade of the secondary authentication will take place on the 2.1 primary.  Once the secondary completes upgrading and the services are running, it will also authenticate.  

 

Which node authenticates the endpoints will be determined by the NAD configuration.  the RADIUS process will detect if a node is down and then use the alternate server. With this in mind, make sure you watch that the ISE node is still joined to AD after the upgrade, and join it as soon as possible if it requires rejoining. 

0 Helpful

Go to solution
Ruelb2214
Level 1
Level 1
In response to Damien Miller

‎05-24-2019 12:27 AM

Good to hear that!

One last thing if given both 2.1 & 2.4 are up and running service, endpoint auth to 2.1 if suddenly 2.1 is down will all endpoint need to auto reauth to 2.4 or it wont unless device restarted?
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Ruelb2214

‎05-24-2019 09:03 AM

Endpoints will remain authorized, if there are reauth timers on the switch that expire or the endpoint restarts while the original authenticating node is down, then they will reauth against the other.
0 Helpful
Customers Also Viewed These Support Documents