Solved: Cisco ISE 2.0 to 2.3 Upgrade

jc84_ · ‎09-13-2018

Hey All,

We currently run Cisco ISE 2.0 in standalone mode and we are looking to upgrade to version 2.3. I've done some reading on the upgrade and it feels straight forward based on the documentation.

However, almost every VAR I've talked to is recommending other scenarios to upgrade that seem to center introducing a temporary secondary node…install a new node, join it to the deployment, physically separate it from the cluster after it syncs, promote it to admin (still isolated) and upgrade it to 2.3. Then switch it to production and move the over nodes over. This scares the hell out of me because we run standalone and I have no experience with dealing with multiple nodes and moving personas.

I was wondering if it would be just as effective to stand up a new VM running 2.0 in an isolated network and restore a backup from the production ISE VM onto it, import the certificates, etc... Then upgrade the new VM from 2.0 to 2.3...still in an isolated network.

Since it has the same hostname and IP address all the configuration/certificates should be valid and I could simply move this new VM into production and isolate the existing. If any problems arise just swap them back and forth?

paul · ‎09-13-2018

In a single node deployment, none of the licensing changes in 2.4 are going to affect you. At some point the base license will stop being permanent, but that is not there now. Save yourself an upgrade in 6 months and go to 2.4. At least that is what I would do.

View solution in original post

paul · ‎09-13-2018

How many network devices you have pointing at ISE? I would guess since you only have one there aren't that many. Why not just build a new 2.3 VM, restore your 2.0 backup to it, get certs setup correctly and then migrate your network devices over to using it? Then if something goes wrong you simply point your network devices back to the 2.0 node? Very low risk.

jc84_ · ‎09-13-2018

Hi Paul - Thanks for the reply.

I thought I remembered reading somewhere that configuration restores needed to be done to ISE instances of the same version - so it wouldn't be possible to restore a 2.0 backup onto 2.3.

paul · ‎09-13-2018

You can restore to any version supported in the upgrade path. So you can restore your 2.0 backup all the way onto a 2.4 VM. I would probably consider going to 2.4 right way especially once patch 4 comes out. 2.4 is the long lived release where 2.3 will die off.

jc84_ · ‎09-13-2018

Thanks Paul for the confirmation. To your point - we can definitely lab this all out with little to no risk.

We were advised against going to 2.4 - I believe it had something to do with a license change w/ going to 2.0 to 2.4. I questioned it as we are just using the Base license for endpoints and the Admin license for TACACS+.

paul · ‎09-13-2018

In a single node deployment, none of the licensing changes in 2.4 are going to affect you. At some point the base license will stop being permanent, but that is not there now. Save yourself an upgrade in 6 months and go to 2.4. At least that is what I would do.

Marvin Rhoads · ‎09-13-2018

I agree with Paul - go with 2.4 and not 2.3.

You will need a VM license but Cisco Licensing will provide that at no cost for your existing deployment. (It will work without one but you will get a popup every time you log into the PAN.)