Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
3
Replies

Inline ISE Upgrades

d-wade
Level 1
Level 1

‎08-22-2019 12:11 PM

I recently just migrated to ISE 2.4 and now see that 2.6 has been released. Normally that wouldn't be a big deal, but to upgrade to 2.4, it was suggested to build all new VMs from scratch and manually migrate over all my settings, policies, etc. As you can guess, upgrading again would be dreadful.

 

Has anyone heard of any news whether inline software upgrades will be a recommended option for ISE in the future?

 

Thanks!

1 person had this problem
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-23-2019 06:09 AM

My two cents on your comments:
The Cisco suggested/recommended release for Cisco ISE is actually 2.4.
From my experiences for upgrades you typically have two options: Build new as you mentioned or perform some sort of split brain approach if you have a distributed deployment. IMO each upgrade case is unique and certain engineers may choose either option or possibly even do something else that maybe I am unaware of. I typically do the split brain approach. Note that there are ways to upgrade during business hours that if done properly it will be seamless to the environment. With that said you always want to ensure you have proper config backups in case you need to build fresh. Another easy thing you could do to avoid interruption is to extend reauth timers to buy you additional time and decrease auth loads against your ISE cluster should something go wrong. Something else to keep in mind is that the ISE patch upgrades are cumulative. For example, if you apply an upgrade bundle to get to 2.4.FLAT, and want to end on 2.4p8. Once on the flat version of 2.4 you only have to apply patch 8 afterwards. I am curious to see what others may share and say. Good luck & HTH!
0 Helpful

d-wade
Level 1
Level 1
In response to Mike.Cifelli

‎08-23-2019 07:09 AM

Thanks for the insight Mike.

 

I guess I'm more or less trying to make the conversation on how and when Cisco will get to seamless inline upgrades on their crucial software components (i.e. ISE). I look at DNA Center as a major inflection point for Cisco in the inline upgrade process. From a network admin perspective, you just click "Update". I know ISE has some more complexities so I don't want to oversimplify it, but I figure since Cisco is becoming a more software-centric company, moving to seamless software upgrades (positive reinforcement for unlocking newer features and upgrading more often) will be included in their future roadmaps.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎08-23-2019 12:22 PM

I prefer inline CLI upgrades when it's a known release and the chance of a roll back is slim. If a node fails you can rebuild it pretty quickly from the ISO.

If the chances of rolling back are high, ex. brand new ise release with no patches, then parallel nodes are nice to reduce the roll back time.
0 Helpful
Customers Also Viewed These Support Documents