09-17-2021 10:39 AM
Hello All,
We have Cisco ISE with 2.3. We need to upgrade to latest version. Here we have some issues and below are they.
1. These are in production and with 3 nodes.: If we start upgrade with Upgrade process will get lot of time to upgrade and can't take much down time.
2. If we install new VM with 2.3 and configure will restore with running vm then will upgrade to 3.0 then kept in to production?
3. If we Create New VM with 3.0 directly and can we restore with 2.3 configuration directly?
Thanks in Advance.
Lakshminarayana T
Solved! Go to Solution.
09-17-2021 11:24 AM
So this could be a complicated reply to cover all of the possibilities/concerns, but I will share some items that you should definitely consider.
1. These are in production and with 3 nodes.: If we start upgrade with Upgrade process will get lot of time to upgrade and can't take much down time.
-So there are ways to avoid downtime in most upgrade scenarios. Some ways to SAVE time and avoid downtime include: increasing auth timers so that clients are not subject to reauth during your upgrade window; purging old logs no longer needed; upgrading current 2.3 to latest version of code (2.3p7);
However, you cannot use an upgrade bundle to go from 2.3->3.0. You could always upgrade to 2.4 then to 3.0. Personally I think this is too much work since you would be upgrading twice. Straight from Cisco documentation: "Two-step Upgrade
If you are currently using a version earlier than Cisco ISE, Release 2.4, you must first upgrade to one of the releases that are listed above and then upgrade to Release 3.0."
2. If we install new VM with 2.3 and configure will restore with running vm then will upgrade to 3.0 then kept in to production?
-This will not work and IMO you would still have to do the 2 step upgrade. So in long run more work with this idea.
3. If we Create New VM with 3.0 directly and can we restore with 2.3 configuration directly?
I would double check this option with TAC. I have done several restore jobs like you have mentioned but only with 2.x train. This also can be very tricky and certain things need to occur for a smooth transition.
Other items of consideration:
As of 3.0 Cisco changed the licensing structure which is going to force you to transition all licenses. Definitely look at these:
Products - ISE Licensing Migration Guide - Cisco
Also, I definitely suggest working with TAC/Cisco reps to get their opinion. I am also curious to see what others say. But def take a look at the following:
Cisco ISE 3.0 Upgrade Guide: Prepare for Upgrade - Cisco
Cisco ISE 3.0 Upgrade Guide: Overview - Cisco
Lastly, it may not be a bad idea to upgrade to 2.7p4 or p5(road mapped to come out VERY soon from what I have been told). Then develop a license migration plan etc., and plan for 3.x migration later on. Yes, 3.x is the suggested release, but getting there from where you are at involves a massive migration with many components. 2.7 is/will be supported for quite some time. This may help in regard to 2.7:
ISE 2.7 Release - Cisco Community
Good luck and HTH!
09-17-2021 11:18 AM - edited 09-17-2021 11:19 AM
Yes you can leave the Live ISE 2.3 you can create another VM for testing with ISE 2.3 and restore the backup or take snapshot OLD VM and create another instant to upgrade.
ISE 3.0 need Minimum version of 2.4
https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/upgrade_guide/HTML/b_upgrade_method_3_0.html
upgrade journey :
https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-install-and-upgrade
09-17-2021 11:24 AM
So this could be a complicated reply to cover all of the possibilities/concerns, but I will share some items that you should definitely consider.
1. These are in production and with 3 nodes.: If we start upgrade with Upgrade process will get lot of time to upgrade and can't take much down time.
-So there are ways to avoid downtime in most upgrade scenarios. Some ways to SAVE time and avoid downtime include: increasing auth timers so that clients are not subject to reauth during your upgrade window; purging old logs no longer needed; upgrading current 2.3 to latest version of code (2.3p7);
However, you cannot use an upgrade bundle to go from 2.3->3.0. You could always upgrade to 2.4 then to 3.0. Personally I think this is too much work since you would be upgrading twice. Straight from Cisco documentation: "Two-step Upgrade
If you are currently using a version earlier than Cisco ISE, Release 2.4, you must first upgrade to one of the releases that are listed above and then upgrade to Release 3.0."
2. If we install new VM with 2.3 and configure will restore with running vm then will upgrade to 3.0 then kept in to production?
-This will not work and IMO you would still have to do the 2 step upgrade. So in long run more work with this idea.
3. If we Create New VM with 3.0 directly and can we restore with 2.3 configuration directly?
I would double check this option with TAC. I have done several restore jobs like you have mentioned but only with 2.x train. This also can be very tricky and certain things need to occur for a smooth transition.
Other items of consideration:
As of 3.0 Cisco changed the licensing structure which is going to force you to transition all licenses. Definitely look at these:
Products - ISE Licensing Migration Guide - Cisco
Also, I definitely suggest working with TAC/Cisco reps to get their opinion. I am also curious to see what others say. But def take a look at the following:
Cisco ISE 3.0 Upgrade Guide: Prepare for Upgrade - Cisco
Cisco ISE 3.0 Upgrade Guide: Overview - Cisco
Lastly, it may not be a bad idea to upgrade to 2.7p4 or p5(road mapped to come out VERY soon from what I have been told). Then develop a license migration plan etc., and plan for 3.x migration later on. Yes, 3.x is the suggested release, but getting there from where you are at involves a massive migration with many components. 2.7 is/will be supported for quite some time. This may help in regard to 2.7:
ISE 2.7 Release - Cisco Community
Good luck and HTH!
09-19-2021 01:37 PM
This is much easier than you think:
a- Leave your production 2.3 alone and let it function as is to avoid interruption
b- build a new environment with a single node first in VM 2.7. patch it to patch 7,
c- export the backup configuration in your 2.3 environment and import it into your 2.7 patch 7 environment (This is supported by Cisco),
d- upgrade the new node to 3.0 and patch it with patch-3,
e- build the remaining two nodes with 3.0 with patch 3 and add it to the new cluster, and set them up with Admin/MNT/PSN or however your setup might be,
f- verify the new cluster is working properly,
g- point your network devices to the new ISE 3.0 patch-3 cluster,
h- shutdown your old ISE 2.3 cluster,
I've done that a few weeks ago in my environment and it works without any interruption.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide