Solved: How to proceed to update this cluster

jds5 · ‎01-20-2022

Hello,

We will soon be performing an upgrade on one of our ISE clusters.

This cluster currently consists of 11 nodes in total:
- 1 PAN Primary
- 1 PAN Secondary
- 1 MNT Primary
- 1 MNT Secondary
- 8 PSN

Also, we have 3 PSN SNS-3495-K9 which will be replaced by SNS-3615-K9

The other equipment are 3595

The current version of the cluster is 2.1 patch 6 and the target version is 2.7 patch 6

Could you tell me how to update this cluster to the target version 2.7 patch 6?

Thank you,

BR,

José

Marcelo Morais · ‎01-20-2022

Hi @jds5 ,

beyond what @balaji.bandi said ... one possibility is:

1. De-register the SPAN and SMnT and create a New Cluster with them.

2. Upgrade the New Cluster to 2.2 and then to 2.7 P6

3. De-register one PSN from the Old Cluster, fresh install to 2.7 P6 and register this PSN to the New Cluster

Note: at this point you have a small New Cluster (3x Nodes) with all your data

5. Test the New Cluster, if everything is OK, then start "de-register" a Node from the Old Cluster, fresh install the Node and "register" to the New Cluster

Hope this helps !!!

View solution in original post

marce1000 · ‎01-21-2022

>....If so, will backup change my current ip?

- FYI : https://community.cisco.com/t5/network-security/cisco-ise-restore-backup/td-p/4259883

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

jds5 · ‎02-18-2022

Hello,

Finally, this issue has been solved.

We realized that an old backup directory that was no longer used, we could not delete it.

We reactivated the GUI backup on this location, which allowed it to be deleted later.

This modification solved the initial problem of accessing the backup/restore directory.

Thanks for your help,

View solution in original post

balaji.bandi · ‎01-20-2022

From ISE 2.1 to 2.7 you can not directly upgrade, you need to go 2.2 then 2.7 :

read the release notes check any caveats and supported matrix :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/PDF/b_ise_upgrade_guide_2_7_pdf/m_upgradeoverview.html

Follow distribuited upgrade :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/HTML/b_upgrade_method_2_7.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marcelo Morais · ‎01-20-2022

Hi @jds5 ,

beyond what @balaji.bandi said ... one possibility is:

1. De-register the SPAN and SMnT and create a New Cluster with them.

2. Upgrade the New Cluster to 2.2 and then to 2.7 P6

3. De-register one PSN from the Old Cluster, fresh install to 2.7 P6 and register this PSN to the New Cluster

Note: at this point you have a small New Cluster (3x Nodes) with all your data

5. Test the New Cluster, if everything is OK, then start "de-register" a Node from the Old Cluster, fresh install the Node and "register" to the New Cluster

Hope this helps !!!

jds5 · ‎01-20-2022

Thank you for your answers.

Regarding the 3615 model, I saw a note that says that to install version 2.4 on it, you must use the following os: ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso

Until now, no worries, however, it also says in this note to apply patch 9 after installation.
“For Cisco Secure Network Server (SNS) 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA .x86_64_SNS-36x5_APPLIANCE_ONLY.iso).
Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation. »

What does patch 9 bring?

Do I really have to apply it? in which case I have to do it also on the SNS-3595-K9 appliances?

Thank you,

José

balaji.bandi · ‎01-20-2022

After you upgrade to 2.2, You directly going to ISE 2.7 right ? why you installing ISE 2.4 ?

Once you installing and up and running ISE 2.7, then you need add patches as per suggestion made by cisco.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jds5 · ‎01-21-2022

Hello,

One of my 3615 Appliances is in version 2.4 which must be integrated into the cluster, hence my previous question.

Otherwise, I have another question.

I have in my possession a test appliance (3615) in version 2.4 on which I would like to import a backup of PAN2.1
is it possible ?
If so, will backup change my current ip?

Thank you,

BR,

José

marce1000 · ‎01-21-2022

>....If so, will backup change my current ip?

- FYI : https://community.cisco.com/t5/network-security/cisco-ise-restore-backup/td-p/4259883

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jds5 · ‎01-25-2022

Hello,

I have a new question still in the same context. This time, it concerns the CIMC part.

Today to connect to the CIMC of the SNS-3595-K9, it's quite complicated because the web interface still uses Flashplayer.

The current CIMC firmware version is 2.0(9c) and the bios version is: C220M.4.2.0.9a.0.120120151839

Can we update to a 4.0 version like what we can find on an SNS-3655-K9?
If so, do you have the procedure and the recommended version, please?

BR,

José

marce1000 · ‎01-25-2022

- Ref : https://www.cisco.com/c/en/us/td/docs/security/ise/sns3500hig/b_ise_SNS3500HIG/b_ise_SNS3500HardwareInstallationGuide22_chapter_010.html

>...

You must use the versions of CIMC firmware from the ISE downloads, which are qualified versions for use with the SNS appliances. Versions of CIMC for UCS are not compatible. Newer versions of CIMC are developed for SNS appliances after they are developed for UCS.

- So that will only work if a newer cimc version is offered for the particular sns-model in the ISE downloads section (cisco software downloads) , since SNS-3595-K9 is EOL , doubt this will be possible.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Greg Gibbs · ‎01-25-2022

There are CIMC upgrade files and instructions available for the SNS-35xx appliances under the Firmware section of the ISE software downloads.

https://software.cisco.com/download/home/283801620/type/283802505/release/SNS%2035x5

jds5 · ‎02-07-2022

Hello,

Finally, all equipment has been updated to version 2.7 patch 6
Everything seems to be working fine except for the backup/restore menu where it is impossible for us to navigate in it.
This issue is seen with other browsers. We even tried the reboot without success.
Has anyone encountered this type of problem before?

BR,

José

Marcelo Morais · ‎02-07-2022

Hi @jds5 ,

in other words, in Administration > System > Backup & Restore, you are unable to click the Edit link of the Schedule Backup and also the Select Repository?

PS.: meanwhile, are you able to generate a manual Backup via CLI?

ise/admin# backup CONFIG-DATA repository <repository> ise-config encryption-key plain <password>

Regards

jds5 · ‎02-07-2022

yes in CLI it works without problem.
It's only web browsing in this menu that doesn't work

Marcelo Morais · ‎02-07-2022

Hi @jds5 ,

worth the shot to deregister your SPAN from the ISE Cube (it will become a Standalone Node) to check if the issue will "show up" on the Standalone Node.

Note: if the issue remains, we are able to check the problem in a Node "outside" the Production Cluster.

Hope this helps !!!

jds5 · ‎02-07-2022

Thank you for this suggestion.
I keep you informed.