Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2261
Views
6
Helpful
10
Replies

ISE 1.4 to 2.3 Upgrade Best Practice - 50 nodes

Go to solution
junk1
Cisco Employee
Cisco Employee

‎01-24-2018 08:10 AM

Hi

My enterprise customer has ISE 1.4 running in their network. The PAN and MnT are VMs and PSNs are hardware appliance 3495.

There are 37 PSNs in one cluster, along with 2 PANs and 2 MnTs. There is another cluster with 2 PAN, 2 MnT and 5 PSNs.

For future enhancement, customer had built 2 PAN and 2 MnT running ISE 2.3 which is currently not in production. Due to various reasons, customer is upgrading the ISE 1.4 to 2.3.

Customer is looking for best way to upgrade, considering all possible aspects not limited to but including the below points:

1. If upgraded, will the Profiling database be affected? If yes, then will ISE be able to re-profile or do we need to reboot the headless devices? How to avoid loosing Profiling database?

2. Node-groups are configured currently with ISE 1.4 among local PSNs. How to approach Node-group while upgrading? Do we need to upgrade both nodes in Node-groups together?

3. Currently there are 250,000 Base license in this cluster. Is it possible to split this license into a pair of 125,000?

Current plan with my customer is - Choose a location on a downtime window and upgrade all ISE nodes in that location and point them to the currently available PAN in 2.3 version.

Please share your guidance in proceeding with the right approach of ISE upgrade.

Thanks and Regards

V Vinodh.

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Charlie Moreton

‎01-24-2018 01:00 PM

As I have previously stated I don't use Cisco's GUI or CLI upgrade method.  Manually doing an upgrade is much safer and more predictable.  I would:

  1. Build a fresh 2.1 node and restore the 1.4 backup to it and validate everything came across just fine.
  2. Run the URT tool on the 2.1 node to ensure the 2.3 upgrade won't be an issue.
  3. Once the URT tool runs clean take a fresh backup of the 2.1 system.
  4. Build a fresh 2.3 VM or use one of your existing 2.3 VMs and restore the 2.1 backup.
  5. Validate everything restored cleanly.
  6. Rehost your licenses from 1.4 environment.  There is no checking on Cisco side when you rehost.  You simply ask to rehost and you can have 250k running in 1.4 and 250k running in 2.3.  I would advocate converting to Smart licensing through.  Cisco licensing can help you with that.
  7. Apply patch 1.
  8. Join to AD.
  9. Test the configuration by pointing test devices at the node.
  10. Once you have your 2.3 anchor point setup, running the full config and the config has been tested, the upgrade is the same for the rest of the deployment:
    1. Rebuild the system to fresh 2.3 image.
    2. Install Patch 1
    3. Install certs
    4. Join system to the 2.3 anchor point and assign correct role
    5. Join to AD

Assuming you are using load balancers you should be able to do this upgrade with minimal to no downtime seen by the clients.  I just did a 20 node upgrade over the course of two days using the method above with no downtime.  We did the whole thing during the day not during any maintenance windows.

View solution in original post

10 Replies 10

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎01-24-2018 08:37 AM

This will guide you through the steps required:

Upgrading to Identity Services Engine 2.1 in a Distributed Environment

Just remember that v1.4 can upgrade directly to v2.1 and then can be upgraded to v2.3

ISE Version Upgrade Matrix

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Charlie Moreton

‎01-24-2018 01:00 PM

As I have previously stated I don't use Cisco's GUI or CLI upgrade method.  Manually doing an upgrade is much safer and more predictable.  I would:

  1. Build a fresh 2.1 node and restore the 1.4 backup to it and validate everything came across just fine.
  2. Run the URT tool on the 2.1 node to ensure the 2.3 upgrade won't be an issue.
  3. Once the URT tool runs clean take a fresh backup of the 2.1 system.
  4. Build a fresh 2.3 VM or use one of your existing 2.3 VMs and restore the 2.1 backup.
  5. Validate everything restored cleanly.
  6. Rehost your licenses from 1.4 environment.  There is no checking on Cisco side when you rehost.  You simply ask to rehost and you can have 250k running in 1.4 and 250k running in 2.3.  I would advocate converting to Smart licensing through.  Cisco licensing can help you with that.
  7. Apply patch 1.
  8. Join to AD.
  9. Test the configuration by pointing test devices at the node.
  10. Once you have your 2.3 anchor point setup, running the full config and the config has been tested, the upgrade is the same for the rest of the deployment:
    1. Rebuild the system to fresh 2.3 image.
    2. Install Patch 1
    3. Install certs
    4. Join system to the 2.3 anchor point and assign correct role
    5. Join to AD

Assuming you are using load balancers you should be able to do this upgrade with minimal to no downtime seen by the clients.  I just did a 20 node upgrade over the course of two days using the method above with no downtime.  We did the whole thing during the day not during any maintenance windows.

Go to solution
Ping Zhou
Level 8
Level 8
In response to paul

‎01-24-2018 02:26 PM

Is there any special attention we need to pay to posture assessment and profiling?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Ping Zhou

‎01-24-2018 02:47 PM

Posture and profiling are enhanced in these releases. If you’re wondering around what please look at the release notes.

Also unless there is a specific feature you’re needing in 2.3 we are recommending that you install 2.2 with the latest patch

Go to solution
Ping Zhou
Level 8
Level 8
In response to Jason Kunst

‎01-24-2018 03:07 PM

The main thing we're looking for to the upgrade from 1.4 to 2.2 or 2.3 is the new "posture with no redirect" flow.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Ping Zhou

‎01-25-2018 05:33 PM

You might want to take a look at the lab exercise 2 of [ISE Lab Guide] ISE 2.2 Update.

Go to solution
longhquang
Level 1
Level 1
In response to paul

‎04-09-2018 03:17 PM

Hi Paul,

After restoring config, did you have to reconfigure ip address/hostnam of 2.3 nodes to match with the existing ISE? Or did you reconfigure the NADs and point them to the new PSNs? Thanks.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to longhquang

‎04-10-2018 10:18 PM

Assuming that you are not using load balancer and that you are either testing the first node or your deployment is standalone, then yes, you would need either change the IP address to match that configured on NADs or update the NADs to use the new IP address.

In case you have multiple nodes, then the restore is done on the primary ISE node only and the 2nd nodes can be de-registere from the deployment of the older ISE release, fresh installed with the same hostname and IP address info, and then join to the new deployment.

0 Helpful

Go to solution
john.cabrera
Level 1
Level 1
In response to paul

‎02-18-2019 09:49 PM

Hi Paul,

 

I have to upgrade our 14 node deployment and everything is all hardware. What will be your suggested approach  for this? Thanks in advance.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to john.cabrera

‎02-18-2019 09:53 PM - edited ‎02-18-2019 09:54 PM

Create/post a new discussion detailing your hardware and if you intend to replace/reuse hardware or use virtual nodes. We can help you with the path forward.

Include your current version and patch, hardware appliance types, future state plans (reuse or replace hardware), or moving to VM's.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents