This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We currently run Cisco ISE 2.0 in standalone mode and we are looking to upgrade to version 2.3. I've done some reading on the upgrade and it feels straight forward based on the documentation.
However, almost every VAR I've talked to is recommending other scenarios to upgrade that seem to center introducing a temporary secondary node…install a new node, join it to the deployment, physically separate it from the cluster after it syncs, promote it to admin (still isolated) and upgrade it to 2.3. Then switch it to production and move the over nodes over. This scares the hell out of me because we run standalone and I have no experience with dealing with multiple nodes and moving personas.
I was wondering if it would be just as effective to stand up a new VM running 2.0 in an isolated network and restore a backup from the production ISE VM onto it, import the certificates, etc... Then upgrade the new VM from 2.0 to 2.3...still in an isolated network.
Since it has the same hostname and IP address all the configuration/certificates should be valid and I could simply move this new VM into production and isolate the existing. If any problems arise just swap them back and forth?
Solved! Go to Solution.
How many network devices you have pointing at ISE? I would guess since you only have one there aren't that many. Why not just build a new 2.3 VM, restore your 2.0 backup to it, get certs setup correctly and then migrate your network devices over to using it? Then if something goes wrong you simply point your network devices back to the 2.0 node? Very low risk.
Hi Paul - Thanks for the reply.
I thought I remembered reading somewhere that configuration restores needed to be done to ISE instances of the same version - so it wouldn't be possible to restore a 2.0 backup onto 2.3.
Thanks Paul for the confirmation. To your point - we can definitely lab this all out with little to no risk.
We were advised against going to 2.4 - I believe it had something to do with a license change w/ going to 2.0 to 2.4. I questioned it as we are just using the Base license for endpoints and the Admin license for TACACS+.
I agree with Paul - go with 2.4 and not 2.3.
You will need a VM license but Cisco Licensing will provide that at no cost for your existing deployment. (It will work without one but you will get a popup every time you log into the PAN.)