Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3532
Views
26
Helpful
3
Replies

Cisco ISE Upgrade from 2.3 to 3.0

Go to solution
LakshminarayanaT
Level 1
Level 1

‎09-17-2021 10:39 AM

Hello All, 

We have Cisco ISE with 2.3. We need to upgrade to latest version. Here we have some issues and below are they. 

 

1. These are in production and with 3 nodes.: If we start upgrade with Upgrade process will get lot of time to upgrade and can't take much down time. 

2. If we install new VM with 2.3 and configure will restore with running vm then will upgrade to 3.0 then kept in to production? 

3. If we Create New VM with 3.0 directly and can we restore with 2.3 configuration directly?

 

 

Thanks in Advance. 

Lakshminarayana T

1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-17-2021 11:24 AM

So this could be a complicated reply to cover all of the possibilities/concerns, but I will share some items that you should definitely consider.

 

1. These are in production and with 3 nodes.: If we start upgrade with Upgrade process will get lot of time to upgrade and can't take much down time. 

-So there are ways to avoid downtime in most upgrade scenarios.  Some ways to SAVE time and avoid downtime include: increasing auth timers so that clients are not subject to reauth during your upgrade window; purging old logs no longer needed; upgrading current 2.3 to latest version of code (2.3p7);

However, you cannot use an upgrade bundle to go from 2.3->3.0.  You could always upgrade to 2.4 then to 3.0.  Personally I think this is too much work since you would be upgrading twice.  Straight from Cisco documentation: "Two-step Upgrade

If you are currently using a version earlier than Cisco ISE, Release 2.4, you must first upgrade to one of the releases that are listed above and then upgrade to Release 3.0."

 

2. If we install new VM with 2.3 and configure will restore with running vm then will upgrade to 3.0 then kept in to production? 

-This will not work and IMO you would still have to do the 2 step upgrade.  So in long run more work with this idea.

 

3. If we Create New VM with 3.0 directly and can we restore with 2.3 configuration directly?

I would double check this option with TAC.  I have done several restore jobs like you have mentioned but only with 2.x train.  This also can be very tricky and certain things need to occur for a smooth transition.

 

Other items of consideration:

As of 3.0 Cisco changed the licensing structure which is going to force you to transition all licenses.  Definitely look at these:

Products - ISE Licensing Migration Guide - Cisco

Cisco ISE License FAQ

 

Also, I definitely suggest working with TAC/Cisco reps to get their opinion.  I am also curious to see what others say.  But def take a look at the following:

Cisco ISE 3.0 Upgrade Guide: Prepare for Upgrade - Cisco

Cisco ISE 3.0 Upgrade Guide: Overview - Cisco

 

Lastly, it may not be a bad idea to upgrade to 2.7p4 or p5(road mapped to come out VERY soon from what I have been told).  Then develop a license migration plan etc., and plan for 3.x migration later on.  Yes, 3.x is the suggested release, but getting there from where you are at involves a massive migration with many components.  2.7 is/will be supported for quite some time.  This may help in regard to 2.7:

ISE 2.7 Release - Cisco Community

 

Good luck and HTH!

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-17-2021 11:18 AM - edited ‎09-17-2021 11:19 AM

Yes you can leave the Live ISE 2.3 you can create another VM for testing with ISE 2.3 and restore the backup or take snapshot OLD VM and create another instant to upgrade.

 

ISE 3.0 need Minimum version of 2.4

 

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/upgrade_guide/HTML/b_upgrade_method_3_0.html

 

upgrade journey :

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-install-and-upgrade

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-17-2021 11:24 AM

So this could be a complicated reply to cover all of the possibilities/concerns, but I will share some items that you should definitely consider.

 

1. These are in production and with 3 nodes.: If we start upgrade with Upgrade process will get lot of time to upgrade and can't take much down time. 

-So there are ways to avoid downtime in most upgrade scenarios.  Some ways to SAVE time and avoid downtime include: increasing auth timers so that clients are not subject to reauth during your upgrade window; purging old logs no longer needed; upgrading current 2.3 to latest version of code (2.3p7);

However, you cannot use an upgrade bundle to go from 2.3->3.0.  You could always upgrade to 2.4 then to 3.0.  Personally I think this is too much work since you would be upgrading twice.  Straight from Cisco documentation: "Two-step Upgrade

If you are currently using a version earlier than Cisco ISE, Release 2.4, you must first upgrade to one of the releases that are listed above and then upgrade to Release 3.0."

 

2. If we install new VM with 2.3 and configure will restore with running vm then will upgrade to 3.0 then kept in to production? 

-This will not work and IMO you would still have to do the 2 step upgrade.  So in long run more work with this idea.

 

3. If we Create New VM with 3.0 directly and can we restore with 2.3 configuration directly?

I would double check this option with TAC.  I have done several restore jobs like you have mentioned but only with 2.x train.  This also can be very tricky and certain things need to occur for a smooth transition.

 

Other items of consideration:

As of 3.0 Cisco changed the licensing structure which is going to force you to transition all licenses.  Definitely look at these:

Products - ISE Licensing Migration Guide - Cisco

Cisco ISE License FAQ

 

Also, I definitely suggest working with TAC/Cisco reps to get their opinion.  I am also curious to see what others say.  But def take a look at the following:

Cisco ISE 3.0 Upgrade Guide: Prepare for Upgrade - Cisco

Cisco ISE 3.0 Upgrade Guide: Overview - Cisco

 

Lastly, it may not be a bad idea to upgrade to 2.7p4 or p5(road mapped to come out VERY soon from what I have been told).  Then develop a license migration plan etc., and plan for 3.x migration later on.  Yes, 3.x is the suggested release, but getting there from where you are at involves a massive migration with many components.  2.7 is/will be supported for quite some time.  This may help in regard to 2.7:

ISE 2.7 Release - Cisco Community

 

Good luck and HTH!

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to Mike.Cifelli

‎09-19-2021 01:37 PM

This is much easier than you think:

 

a- Leave your production 2.3 alone and let it function as is to avoid interruption

 

b- build a new environment with a single node first in VM 2.7.  patch it to patch 7,

 

c- export the backup configuration in your 2.3 environment and import it into your 2.7 patch 7 environment (This is supported by Cisco),

 

d- upgrade the new node to 3.0 and patch it with patch-3,

 

e- build the remaining two nodes with 3.0 with patch 3 and add it to the new cluster, and set them up with Admin/MNT/PSN or however your setup might be,

 

f- verify the new cluster is working properly,

 

g- point your network devices to the new ISE 3.0 patch-3 cluster,

 

h- shutdown your old ISE 2.3 cluster,

 

I've done that a few weeks ago in my environment and it works without any interruption.

Customers Also Viewed These Support Documents