Solved: Re: Downgrade ISE v2.3 to ISE v2.2 on SNS 3415/3495 Appliances (Considerations)

Eric Flahaut · ‎05-07-2020

My work center is considering downgrading our ISE v2.3 to the ISE v2.2 on our two SNS 3415/3495 appliances. Are their any special considerations we should take? Does anyone know why the higher version is EOL before a lower version.

We are doing this due to the EOL for v2.3 (June 2020), but v2.2 will seemingly be supported for a longer duration. In the long term, we will be looking to upgrade our two SNS appliances that will support the more current versions, like 2.7

Thank you in advance for any information.

Damien Miller · ‎05-07-2020

Tough situation to be in, ISE doesn't support downgrades of versions, only roll back patches. This would be a manual operation of rebuilding the policy and config on 2.2.

The situation you are in occurred due to a policy the ISE BU used to have where even numbered versions of ISE were long lived, ex. 2.2, 2.4, 2.6. Odd numbered released were for early adopters requiring the latest features but seen as potentially less proven and thus short lived, ex 2.1 and 2.3. This policy has since been pulled back and the BU has given new guidance that 2.7 is also going to be a long term support release.

If you are stable on 2.3, I would look to accelerate your replacement to VM's or SNS-3600 appliances so that you could upgrade to 2.6/2.7. I would try to avoid the work of going back to 2.2.

View solution in original post

Damien Miller · ‎05-07-2020

Tough situation to be in, ISE doesn't support downgrades of versions, only roll back patches. This would be a manual operation of rebuilding the policy and config on 2.2.

The situation you are in occurred due to a policy the ISE BU used to have where even numbered versions of ISE were long lived, ex. 2.2, 2.4, 2.6. Odd numbered released were for early adopters requiring the latest features but seen as potentially less proven and thus short lived, ex 2.1 and 2.3. This policy has since been pulled back and the BU has given new guidance that 2.7 is also going to be a long term support release.

If you are stable on 2.3, I would look to accelerate your replacement to VM's or SNS-3600 appliances so that you could upgrade to 2.6/2.7. I would try to avoid the work of going back to 2.2.

thomas · ‎05-12-2020

Damien is correct.

See Cisco Identity Services Engine Software Release Lifecycle Product Bulletin for the short-term/long-term details.

RobertW · ‎06-09-2020

Hello, I am currently pre-staging an ISE SNS deployment which has come with ISE 2.7 Pre-installed on the servers. During the configuration I have hit a number of bugs, such as issues with the indexing engine not initialising when the deployment is Active / Standby, an issue where we are unable to install a public certificate and a number of cosmetic problems which Cisco TAC have advised will be fixed with the release of 2.7 Patch 2. Unfortunately I can't wait until July for this patch to be released so I want to downgrade to ISE 2.6 as this release appears to be more stable. Are there any details on how to do this with the ISE appliances? I have found plenty of documents for upgrading but downgrading appears to be quite difficult.

RobertW · ‎06-09-2020

I have been advised that the only way to do this is to re-image the SNS appliances with ISE 2.6 via CIMC or bootable USB.

Damien Miller · ‎06-09-2020

That is correct, you cannot roll back upgrades ex. 2.3 to 2.2, only patches. This will require a rebuild.