Solved: Re: How best to perform an ISE upgrade roll-back

Arne Bier · ‎10-31-2017

Hello

I am writing a detailed implementation guide for my customer to upgrade them from ISE 2.2 patch to ISE 2.3 patch 1 - yay!

I have a fully distributed deployment running on vSphere 6.0. I want to use CLI for full control over the proceedings.

I have tested it all in the lab and so far seems ok. But I don't see a reversion plan in the Cisco ISE 2.3 Upgrade Guide. It mentions that as long as the old PAN is still alive, that a reversion is possible. But it doesn't explain how best to proceed.

But let's say I have already upgraded only one PAN, one MnT and one PSN, and then I have to revert back to 2.2 for some reason, what options are there to revert those three nodes? I see two possible options

Ask the VMWare Team to snapshot all the nodes prior to upgrade. But how reliable/successful is this? Do we need to shutdown the nodes prior to snapshot? I am not a fan of this because I wonder about the integrity of the data
Use a big hammer: delete the VM containing the upgraded 2.3 nodes build new VM's using the ISE 2.2 OVA. Register these nodes into the old 2.2 deployment with respective personas. Then patch those three with patch 2. This is my preferred approach because it feels cleaner.

Is there any other sanctioned rollback procedure?

Ping Zhou · ‎11-01-2017

Patching could be rolled back Roll back for Upgrade can not be done. For a specific node, once you are on the 2.3, the only way to bring it back to 2.2 is to re_image the node with 2.2 ISO or OVA.

ISE nodes are constantly synchronizing. Snapshot a runing node is a bad idea. If you have to, you need to power down the node properly, do the command app stop ise and halt for your VM Based node.

So you see, do a solid backup to SFTP, in case you need to go back to 2.2 from 2.3, you re-image the virtual box, registered back to 2.2 cluster. manully sync with the primary MnT. if the primary pan is good then, you don’t need to restore.

MY 2 cents

/ping

Sent from mobile device

View solution in original post

ldanny · ‎11-01-2017

Have you seen this

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Administer Cisco ISE [Cisco Identity Services Engine]…

Danny

Ping Zhou · ‎11-01-2017

Patching could be rolled back Roll back for Upgrade can not be done. For a specific node, once you are on the 2.3, the only way to bring it back to 2.2 is to re_image the node with 2.2 ISO or OVA.

ISE nodes are constantly synchronizing. Snapshot a runing node is a bad idea. If you have to, you need to power down the node properly, do the command app stop ise and halt for your VM Based node.

So you see, do a solid backup to SFTP, in case you need to go back to 2.2 from 2.3, you re-image the virtual box, registered back to 2.2 cluster. manully sync with the primary MnT. if the primary pan is good then, you don’t need to restore.

MY 2 cents

/ping

Sent from mobile device

Dustin Anderson · ‎11-01-2017

I'll say from experience we shut down and did a backup of the complete VM, not just a snapshot. We are on hardware now, so we don't have that ability anymore. But now if I have to rebuild, I have the same serial number, so the licenses can just be reinstalled.

If you rebuild a VM, the serial will change and you will have to redo all the licensing.

Ping Zhou · ‎11-01-2017

To add...We converted the traditional licensing to Smart Licensing, feel much easier to handle it.

Arne Bier · ‎11-01-2017

Thanks for reminding me about the licensing aspect when rebuilding the PAN on a VM (the UDI will be different and hence cause a license re-homing requirement).

Having said that, we're in the process of converting our Traditional Licensing to Smart Licensing due to some efforts here on other Cisco platforms.