Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
1
Replies

Cisco ISE Upgrade from 2.2 P9 to 2.4 p6 (Distributed Deployment )

aslam.bajwa
Level 3
Level 3

‎03-05-2019 05:37 AM

Hi All , 

 

i have cisco ISE 2.2 P9 and because of lots of bugs we need to upgrade it .

 

Deployment Scenario : 

 

Site A

Primary PAN 

Primary MnT

Primary PSN

 

DR Site B (Connected Over WAN)

 

Secondary PAN

Secondary MnT

Secondary PSN  

 

Note : all nodes are on Different VMs

after reading the cisco DOC , my understanding is to Start Upgrade with :

 

First Secondary Admin Node 

2nd Secondary Monitoring node 

3rd Secondary  PSN 

4th Primary PSN 

5th Primary Monitoring 

6th Primary Admin Node 

 

***my question is if i am doing GUI - based upgrade , i have to download Ise-Upgradebundle on all nodes or

or only one node ? 

 

*** if admin node is in ver 2.4 and Policy node is in ver 2.2 , there will be communication between them ?

 

*** is there any change in Licensing ?

 

Please Advise 

 

Thank you 

 

0 Helpful
1 Reply 1

Damien Miller
VIP Alumni
VIP Alumni

‎03-05-2019 02:38 PM

Your server upgrade order looks good, no issue there. As for your other questions.

The ISE upgrade package has to be downloaded to every node, if using the GUI to upgrade the deployment this is done during the pre upgrade tasks and often times out if there is a slow wan link. For most upgrades we create a repository for disk:/ and manually copy the upgrade bundle to each servers disk:/ before starting.

During the upgrade, the secondary PAN that upgrades from 2.2 to 2.4 first, will then become the primary admin node in the 2.4 deployment. While upgrading you have two separate ISE deployments, one running 2.2 and a new one running 2.4, there is no communication between these two. When the secondary MNT and PSN upgrade, they will register with the 2.4 PAN.

2.2 to 2.4 includes VM license changes. You will have to email Cisco your Cisco sales order number where you originally purchased the RTU ISE vm's. The BU will issue new medium VM licenses for you to install on the 2.4 deployment. You can do this before or after the upgrade with no impact other than a nag message on the dashboard. Read about it here.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/213171-ise-2-4-upgrade-alarms-fewer-vm-license.html
"If you are planning to upgrade to Release 2.4, contact ise-vm-license@cisco.com with sales order numbers that include VM purchase to procure one medium VM license for each VM previously purchased. You should also include your CCOID along with the sales order number."

One additional side note, I tend to prefer upgrading via the CLI because you have control over the process. When you upgrade from the GUI, I find that nodes will start too soon after the previous, and you have no way to pause and test. If you do this manually you will be able to upgrade the PAN/MNT/first PSN, test, then continue or roll back. Also, make sure you have run the URT bundle to rule out any major issues upgrading.
0 Helpful
Customers Also Viewed These Support Documents