Cisco ISE upgrade from version 2.7.0.356 patch 3 to ISE 3.X

M Talha · ‎06-26-2024

Hi Community members,

Just want to know if I can upgrade ISE from version 2.7.0.356 patch 3 to ISE 3.X directly ?

I have a distributed environment between two data centers. Each DC has six nodes. 1PAN, 1Mnt and 4PSN's.

What should be the upgrade approach in this scenario ?

Arne Bier · ‎06-26-2024

Yes - it's always good to confirm this from the Release Notes - e.g. ISE 3.2 support upgrade from 2.7, but the latest version 3.3 does not support upgrade from 2.7

Therefore you can upgrade directly to 3.2, ASSUMING you don't have any old SNS servers - check the hardware compatibility guide. If it's just VMs, then no worries.

This question has been discussed many times before. There are two options

1) Rebuild the nodes and restore config on the first one, and register all the others back in, one-by-one. It's a very time consuming process but Cisco says it's its preferred method. IMHO it's only required if the disk sizing needs to change on a node. And rebuilding a VM is much easier than re-imaging an SNS server.

2) Inline upgrade - run the upgrade bundle on each node. Much easier and leaves all the certs and AD joins in place. People are divided on this topic and rather go with option 1. THB, I do inline upgrades these days from 3.2 to 3.3 and it's my preferred method.

The ISE 3.2 Upgrade Guide documents what needs to happen, and in which order. You should run the URT on the Standby PAN to check pre-upgrade status. Make a final config backup. Then upgrade the Standby PAN, followed by the MNTs, and the PSNs. Last one to be upgraded is the Primary PAN. Once you get to the PSNs (which one and in which order, is up to you) you should test your RADIUS/TACACS/Portal services.

Finally, patch the whole lot to the latest patch.

M Talha · ‎06-27-2024

Hi Arne,

Thank you so much for sharing your experience and also sharing the valuable information.

My current ISE environment is totally VM based and I am building new VM's from scratch for version 3.X. Just need to upgrade RHEL to support version 3.X and hopefully by using backup and restore method I will be able to upgrade all the ISE nodes successfully.

Arne Bier · ‎06-27-2024

Clean VMs and config restore is a sane approach to take.

In the VMWare case, one small bug bear of mine with the ISE OVAs is that they ship with 6 non-paravirtualised network adapters. I always delete them all, and add one VMXNET3 adapter. I also right-click on the VM and update the Hardware Compatibility to the latest that the ESXi supports. I don't believe it makes ISE better, but I get a bit OCD when I see a VM that is ESXi 5.x compatible on a an ESXi 7.x host.

M Talha · ‎07-04-2024

Thanks Arne. One more question that I would be building these VM's in a private cloud now as previously they were in a traditional environment, where the hostnames would still remain the same but the actual IP will be changed. In this case doing this will cause any certificate related issues ?

Arne Bier · ‎07-04-2024

Not sure what you mean by "private cloud". I guess you're referring to installing ISE on any of the supported hypervisors like VMWare, HyperV, Nutanix, KVM, etc. - the point about Admin certs, is that you should create those certs from an internal PKI - when registering other nodes to the first PAN, you then simply install the CA cert chain of the PKI into each of the nodes, and then register them into the PAN. You need to pay attention to the lifespan of these certs - because they are used internally (not public facing) there is no harm in making them last a bit longer - e.g. 3 - 5 years. I know of one customer who creates 10 yr certs. That has the benefit of not having to worry about cert renewals and all the hassles that comes with it.

M Talha · ‎07-05-2024

Hi Arne .. what I mean is I am actually migrating ISE from old network environment to new one due to which IP for all the nodes will be changed. Does this will cause any issue with certs ?

Arne Bier · ‎07-07-2024

If your PSNs (RADIUS) nodes are getting a new IP address, will they retain the same DNS entries? If yes, then you can re-use the same Admin & EAP certs if need be. Or else, make new DNS records, and create new Admin / EAP certs for the nodes. If these new certs come from the same trusted CA that signed the certs of the old ISE deployment, then your supplicants (802.1X clients) should not have any issues, because they should already have the CA installed in their trust store.

The biggest pain with changing IP addresses in such an environment, is that you must configure all your devices that use AAA/RADIUS to point to these new IPs (unless they are behind a load balancer).