cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1165
Views
0
Helpful
8
Replies

Cisco ISE upgrade 2.1 to 2.4 patch 5

Ruelb2214
Level 1
Level 1

Guys,

 

Need your input if our idea is correct.

 

In our production we have ISE running primary(ISE1)and secondary(ISE2), we plan to upgrade to 2.4 doing this steps.

 

1.do upgrade through web ui, but under the sequence we will select only ISE2, we plan to upgrade ISE2 to 2.4 first, after success upgrade we will disconnect ISE1 from network then we test the ISE2 functionality and make sure everything working.

BUT will ISE2 auto promote as Primary after upgrade and will ISE1 be acting Secondary even not upgraded to 2.4 before we disconnect from network.

 

2.After verifying ISE2 2.4 working, we will proceed upgrade ISE1 to 2.4 after 2days and connect it to network, any issue foreseen issue?

 

do you have other approach compare to our idea?

much thanks guys!

1 Accepted Solution

Accepted Solutions

Endpoints will remain authorized, if there are reauth timers on the switch that expire or the endpoint restarts while the original authenticating node is down, then they will reauth against the other.

View solution in original post

8 Replies 8

Damien Miller
VIP Alumni
VIP Alumni
I can't comment on the process you're proposing as I have never tried it myself. I will however identify a bug that impacts 2.1 GUI upgrades. You need to ensure that both nodes have the exact same patches applied.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz23479/

Are you running on SNS appliances or VM's, the guidance and options will differ slightly.

We are running on SNS appliances.

 

Most of the guides i search was just proceed upgrade secondary and backup, i have not seen the same approach as ours. 😕

We are running on SNS appliances.

Most of the guides i search was just proceed upgrade secondary and backup, i have not seen the same approach as ours. 😕

Just to confirm then, are you on 2.4 supported SNS 3515/3595 appliances?

The common practice is to start with upgrading the secondary as you suggested. When you run the upgrade the secondary it will become the primary PAN and MNT. At the same time, the old 2.1 primary will remain as is, primary but with 2.1 running, these two nodes will not be communicating with one another. How you handle the upgrade of both nodes is certainly optional. For simplicity sake, upgrading in place like you suggested will be fine.

Make sure you run the upgrade readiness tool on the secondary before and correct any issues it identifies. I would recommend the in place CLI method only because I know it will work as you need. Specifically read the section titled "Upgrade a Two-Node Deployment", it's a three step procedure.

2.4 CLI upgrade procedure
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_011.html

URT steps
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_01.html#urt

We running now 2.4 3595 appliance.

Yes will run the upgrade in CLI.
But what I know if you have two nodes running diffirent version acting both Primary they wont communicate each other, BUT on the endpoint perspective where are they going to auth, will it be under 2.1 or 2.4 version, given both server ip are configure in switches!

Both the 2.1 and 2.4 nodes will authenticate endpoints when the services are up.  During the upgrade of the secondary authentication will take place on the 2.1 primary.  Once the secondary completes upgrading and the services are running, it will also authenticate.  

 

Which node authenticates the endpoints will be determined by the NAD configuration.  the RADIUS process will detect if a node is down and then use the alternate server. With this in mind, make sure you watch that the ISE node is still joined to AD after the upgrade, and join it as soon as possible if it requires rejoining. 

Good to hear that!

One last thing if given both 2.1 & 2.4 are up and running service, endpoint auth to 2.1 if suddenly 2.1 is down will all endpoint need to auto reauth to 2.4 or it wont unless device restarted?

Endpoints will remain authorized, if there are reauth timers on the switch that expire or the endpoint restarts while the original authenticating node is down, then they will reauth against the other.