Solved: Re: Cisco ISE 2.3 - Upgrade to 2.7

Jay233 · ‎02-25-2021

Hi All,

What's the best and simplest way to upgrade from 2.3 to 2.7 (Think 2.3 is out of TAC support)

Current deployment - Fully Distributed all appliances PAN/sPAN (3595) - pMON/sMON (3515) - 8x PSN (3515)

What's the switch IOS version compatibility requirement, do I really need to upgrade all my switch base.

Will this need a stepped upgrade approach?

Is there a solution to parallel the upgrade?

Does the hardware need an upgrade (Appliance or Virtual)?

Appreciate any help

Marcelo Morais · ‎02-26-2021

Hi @Jay233

yes, that's correct, deregister to a Standalone Deployment.

You don't need to reIP.

You are going to deregister and then upgrade to a new version.

Your F5 Load Balancer is pointing to your PSNs ... in other words, during the Secondary PAN and Secondary MnT process (deregistering and upgrading) your F5 will still "talk to" the PSNs (old version).

Process:

1st backup config & logs
2nd export all certificates
3rd deregister Sec PAN
4th deregister Sec MnT
5th Upgrade Sec PAN & Sec MnT
6th Join Sec PAN & Sec Mnt to a new Cluster
7th deregister one of the PSNs from the old Cluster
8th install this PSN from scratch (new version) and register to the new Cluster
9th repeat process 7th if everything is OK

Hope this helps !!!

View solution in original post

balaji.bandi · ‎02-25-2021

here some guidelines : (make some change plans ) - distribute same place or continental?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/HTML/b_upgrade_method_2_7.html

ISE 2.7 compatable matrix :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/compatibility_doc/b_ise_sdt_27.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marcelo Morais · ‎02-25-2021

Hi @Jay233 ,

beyond what @balaji.bandi said:

1st. the 35xx Series is compatible with 2.7
2nd consider 2.7 P2 (at least) or 2.7 P3 (released on Feb 5th)

As a parallel upgrade:

1st deregister the Secondary PAN and Secondary MnT from your Cluster
2nd create a new Cluster
3rd upgrade this new Cluster
4th deregister one PSN from the old Cluster, install ISE from scratch and register to new Cluster
5th if everything is fine, repeat 4th to the other Nodes

Note: remember to generate a config backup and export your certificate

Hope this helps !!!

Jay233 · ‎02-26-2021

Hi Marcelo,

Really appreciate your response, just to clarify the deregistering and new cluster of the sPAN and sMO

Do you mean dereg into a standalone deployment PAN?

I'd need to reIP and CSR all the certs?

over 2000 NADs hit F5 vips which have been locally load balanced across 2 vips dependent on location.

Or is it as simple as dereg the sPAN and sMON, upgrade and rejoin?

If you could elaborate on the actual process that would be great.

heers,

Jay

Marcelo Morais · ‎02-26-2021

Hi @Jay233

yes, that's correct, deregister to a Standalone Deployment.

You don't need to reIP.

You are going to deregister and then upgrade to a new version.

Your F5 Load Balancer is pointing to your PSNs ... in other words, during the Secondary PAN and Secondary MnT process (deregistering and upgrading) your F5 will still "talk to" the PSNs (old version).

Process:

1st backup config & logs
2nd export all certificates
3rd deregister Sec PAN
4th deregister Sec MnT
5th Upgrade Sec PAN & Sec MnT
6th Join Sec PAN & Sec Mnt to a new Cluster
7th deregister one of the PSNs from the old Cluster
8th install this PSN from scratch (new version) and register to the new Cluster
9th repeat process 7th if everything is OK

Hope this helps !!!