Solved: Cisco ise upgrading and licences

Giuliano Gerardi · ‎06-03-2013

I nedd to upgrade from version 1.1.2 patch 4 to 1.1.3

the deployment is distributed so the split deployment technique needs to be used:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upg_dis_dep.html#wp1052969

the guide is quite hard to follow as there are some licensing informations missing that can potentially cause service downs:

in particular my questions reguarding the guide are:

--- OUR licence is registered to the primary PAN node only----

1) Deregistering primary PSN "D" node : what licence it will use? the inherited (10000 endpoints) or will it lose the licence completely and lock the network authentications?

2) When node "B" will be deregistered and will become standalone what happens to its licence ? will it be lost? and what will happen to the node "D" when added back to the node "B" ?

3) when I will switch back node "A" (after upgrade and registration to node "B") to its previous primary PAN state it is stated that the licence needs to be reloaded in it cause it was lost when adding it to node "B".... and in the meanwhile? no node will authenticate cause the primary node is without a licence?

TY

Marcin Latosiewicz · ‎06-03-2013

Giuliano,

De-registered node will always use it's own license, i.e. it becomes standalone box without knowledge or information of anything around it. Either the evalutaion or whichever license you have supplied it with.

License enforcement is performed by active admin node in cluster, according to its license.

Have a look at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug04405

I don't think license needs to be reloaded, but that may be just my memory not serving me. I'll double-check that one.

M.

View solution in original post

Marcin Latosiewicz · ‎06-03-2013

Giuliano,

De-registered node will always use it's own license, i.e. it becomes standalone box without knowledge or information of anything around it. Either the evalutaion or whichever license you have supplied it with.

License enforcement is performed by active admin node in cluster, according to its license.

Have a look at:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug04405

I don't think license needs to be reloaded, but that may be just my memory not serving me. I'll double-check that one.

M.

Richard Atkin · ‎06-03-2013

Hi,

All you need to do is to unregister the nodes, upgrade them all individually, and then re-register them again. So long as your Primary Admin box remains the same throughout (to keep the licensing requirements happy), you'll be good to go.

Sent from Cisco Technical Support iPad App

Richard Atkin · ‎06-03-2013

PS - Arrange an outage for the upgrade, don't faff around trying to keep much of a service going while you're doing the work, it's not worth the hassle and you probably won't achieve it anyway.

Sent from Cisco Technical Support iPad App

Giuliano Gerardi · ‎06-04-2013

Thank you everybody

the outage seems to be the best option as for what I can see It is impossible to achieve a troubleless (client side) procedure

however in my opinion a previously licensed node deregistered for update should at least keep the old license for 1 day... or simply not allowing logins while keeping authenticatig as before..

thank you again

Giuliano Gerardi · ‎06-04-2013

Just an other question

when I deregister Primary psn node and it will be without a licence cause it has been operational for more than 90 days

how do the node will respond to authentication requests?

it denies access or will not authenticate?

(the switches will not authenticate users, deny access, or switchover to the secondary PSN node wich is active registered and licensed to the original admin node?