06-26-2024 09:25 AM
Hi Community members,
Just want to know if I can upgrade ISE from version 2.7.0.356 patch 3 to ISE 3.X directly ?
I have a distributed environment between two data centers. Each DC has six nodes. 1PAN, 1Mnt and 4PSN's.
What should be the upgrade approach in this scenario ?
06-26-2024 01:53 PM
Yes - it's always good to confirm this from the Release Notes - e.g. ISE 3.2 support upgrade from 2.7, but the latest version 3.3 does not support upgrade from 2.7
Therefore you can upgrade directly to 3.2, ASSUMING you don't have any old SNS servers - check the hardware compatibility guide. If it's just VMs, then no worries.
This question has been discussed many times before. There are two options
1) Rebuild the nodes and restore config on the first one, and register all the others back in, one-by-one. It's a very time consuming process but Cisco says it's its preferred method. IMHO it's only required if the disk sizing needs to change on a node. And rebuilding a VM is much easier than re-imaging an SNS server.
2) Inline upgrade - run the upgrade bundle on each node. Much easier and leaves all the certs and AD joins in place. People are divided on this topic and rather go with option 1. THB, I do inline upgrades these days from 3.2 to 3.3 and it's my preferred method.
The ISE 3.2 Upgrade Guide documents what needs to happen, and in which order. You should run the URT on the Standby PAN to check pre-upgrade status. Make a final config backup. Then upgrade the Standby PAN, followed by the MNTs, and the PSNs. Last one to be upgraded is the Primary PAN. Once you get to the PSNs (which one and in which order, is up to you) you should test your RADIUS/TACACS/Portal services.
Finally, patch the whole lot to the latest patch.
06-27-2024 01:09 AM
Hi Arne,
Thank you so much for sharing your experience and also sharing the valuable information.
My current ISE environment is totally VM based and I am building new VM's from scratch for version 3.X. Just need to upgrade RHEL to support version 3.X and hopefully by using backup and restore method I will be able to upgrade all the ISE nodes successfully.
06-27-2024 01:56 PM
Clean VMs and config restore is a sane approach to take.
In the VMWare case, one small bug bear of mine with the ISE OVAs is that they ship with 6 non-paravirtualised network adapters. I always delete them all, and add one VMXNET3 adapter. I also right-click on the VM and update the Hardware Compatibility to the latest that the ESXi supports. I don't believe it makes ISE better, but I get a bit OCD when I see a VM that is ESXi 5.x compatible on a an ESXi 7.x host.
07-04-2024 10:34 PM
Thanks Arne. One more question that I would be building these VM's in a private cloud now as previously they were in a traditional environment, where the hostnames would still remain the same but the actual IP will be changed. In this case doing this will cause any certificate related issues ?
07-04-2024 10:56 PM
Not sure what you mean by "private cloud". I guess you're referring to installing ISE on any of the supported hypervisors like VMWare, HyperV, Nutanix, KVM, etc. - the point about Admin certs, is that you should create those certs from an internal PKI - when registering other nodes to the first PAN, you then simply install the CA cert chain of the PKI into each of the nodes, and then register them into the PAN. You need to pay attention to the lifespan of these certs - because they are used internally (not public facing) there is no harm in making them last a bit longer - e.g. 3 - 5 years. I know of one customer who creates 10 yr certs. That has the benefit of not having to worry about cert renewals and all the hassles that comes with it.
07-05-2024 11:46 PM
Hi Arne .. what I mean is I am actually migrating ISE from old network environment to new one due to which IP for all the nodes will be changed. Does this will cause any issue with certs ?
07-07-2024 01:47 PM
If your PSNs (RADIUS) nodes are getting a new IP address, will they retain the same DNS entries? If yes, then you can re-use the same Admin & EAP certs if need be. Or else, make new DNS records, and create new Admin / EAP certs for the nodes. If these new certs come from the same trusted CA that signed the certs of the old ISE deployment, then your supplicants (802.1X clients) should not have any issues, because they should already have the CA installed in their trust store.
The biggest pain with changing IP addresses in such an environment, is that you must configure all your devices that use AAA/RADIUS to point to these new IPs (unless they are behind a load balancer).
09-12-2024 06:27 AM
Thanks Arne for sharing the valuable information and experience. Yes ISE nodes will be behind load balancer in my scenario.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide