Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
1
Helpful
1
Replies

Cisco ISE v3.3 - Question About Restoring From Backup

martin-d
Level 1
Level 1

‎10-10-2025 06:48 AM - edited ‎10-10-2025 06:50 AM

In our deployment, we have two physical appliances. We've got a pair of SNS-3615-K9's running ISE software version 3.1.0. One is in DC1, the other is in DC2.

Both nodes are running all of these personas: Administration, Monitoring, Policy Service. Attached a pic of my deployment so you can see the full details.BLUE ISE Deployment.jpeg

I am going to be undertaking an ISE upgrade from 3.1 to 3.3 via the GUI. It is my first time doing an ISE Upgrade. Yes, I'm reading up as much as I can on how to do this within the Cisco Identity Services Engine Administrator Guide, Release 3.1, and the Cisco ISE 3.3 Upgrade Guide: Upgrade Method. I'm finding it a little daunting because there is so much Info to read, and honestly, at this point I'll take any tips/pointers I can get from anyone on this Community. Anyway, I have a question...

The Cisco ISE 3.3 Upgrade Guide says the following under the "Roll back to the previous version" section:

"Upgrade failures sometimes occur due to issues in the configuration and monitoring database. In these cases, you must manually restore your system ... In these scenarios, you must manually reimage your system, install Cisco ISE, and restore the configuration data and monitoring data if the Monitoring persona is enabled."

My question is this...

How do you backup the monitoring data? Is this the same thing as "Operational Data Backup" in the Backup & Restore section of the GUI, underneath the "Configuration Data Backup" radiobox ?

Plus, how important is the monitoring data restoration if all we are using these appliances for is TACACs server functionality? 

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎10-12-2025 01:49 PM

Hi @martin-d 

You're right about the Monitoring Data backups - ISE calls it "Operational Backup" - contains all the RADIUS and TACACS Live Logs for the retention periods you have defined for both of those.

I never use Operational Backups, and in fact, I purge ALL Data (RADIUS and TACACS+) prior to an upgrade, because the upgrade has to migrate all that data from old database to new database - if you have GB's of data, an upgrade can take many more hours. The URL (Upgrade Readiness Tool) runs on the Standby PAN/MNT and it will estimate how long each node will take - if you purge the data and run the URT again, you will be astounded.

If you forward your TACACS and RADIUS Live Logs to a SIEM (which you should really be doing) then purging the data in ISE is no drama - the SIEM should have better search capabilities than ISE anyway.

Upgrade tips:

  • Put upgrade bundle and ISE 3.1 + 3.3 patches in a repo - also download the ISE 3.3 ISO in case of rebuild - test you vKVM
  • Patch your ISE 3.1 to the last available patch prior to upgrading to 3.3
  • Run the URT on ISE 3.1 Standby Admin node
  • Perform a final configuration backup prior to upgrade
  • Export your Admin/EAP certs (and their private keys) of all nodes (just in case  of rebuild)
  • Have the AD join credentials handy (if you're using AD) - sometimes (rarely) the AD join doesn't work after upgrade
  • If any of your nodes are in a remote location, then provide a local SFTP/FTP repo - the GUI upgrade has a 4 hour limit to transfer all the files - on a 50Mbps connection, that won't be enough to get the upgrade bundle transferred
  • Be patient - don't immediately reboot/restart anything if you think ISE is upgrade stuck - give it a sec

 

Customers Also Viewed These Support Documents