Solved: Re: Insert a new PAN node during upgrade

jpoh · ‎09-27-2017

Hi Team,

Customer is upgrading ISE cluster from 1.2 to 1.3. Under distribution deployment, upgrade step as below.

SecPAN(1.2) upgrade to PriPAN(1.3)

PriMNT(1.2) upgrade to PriMNT(1.3)

So now we have two cluster, new 1.3 cluster and old 1.2 cluster, without any HA. All PSN still register to old 1.2 PAN

At this juncture, customer like to insert HA into new 1.3 cluster. He bring up a new 1.3 node and join 1.3 PAN as secPAN. Question is, will this work? Our argument is 1.3 PAN still hold DB that has record of 1.2 PAN being peer and is expecting this peer to join back. But instead we are joining 1.3 PAN with a new node as SecPAN. This mean it will not work. Is our understanding correct?

Also, customer is asking why can't we have different ISE version in same cluster. This will make the upgrading work easier and customer don't need to rush to upgrade the entire cluster of 14 nodes in 8 hours of MW. Do we have such support in roadmap?

Thanks for your advise

Regards &

Have a nice day

Jason Kunst · ‎09-27-2017

This is covered in the admin guide and will work

Just remove unneeded nodes

We don’t discuss roadmap on public forum please get your feature request to our pm team through the sales channel

I have a concern however

ISE 1.2 is significantly different around how Guest access works, if you’re doing any guest you should test it out and make sure it works as needed

Also moving them to 1.3 is a bad idea as it’s end of life and support, it’s also really old and missing lots of key functionality

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-737392.html

You need to look at moving them to ISE 2.2

View solution in original post

Jason Kunst · ‎09-27-2017

This is covered in the admin guide and will work

Just remove unneeded nodes

We don’t discuss roadmap on public forum please get your feature request to our pm team through the sales channel

I have a concern however

ISE 1.2 is significantly different around how Guest access works, if you’re doing any guest you should test it out and make sure it works as needed

Also moving them to 1.3 is a bad idea as it’s end of life and support, it’s also really old and missing lots of key functionality

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-737392.html

You need to look at moving them to ISE 2.2

Jason Kunst · ‎09-27-2017

Recommendation is to build ISE 2.2 from scratch and start new

jpoh · ‎09-27-2017

Thanks Jason,

after upgrade from SecPAN(1.2) to PriPAN(1.3), I will need to login to PriPAN(1.3) and remove the PriPAN(1.2) node from the DB. I will then add the new node as SecPAN(1.3).

I believed PriPAN(1.3) will have the same license as PriPAN(1.2) right?

This is a 14 nodes (2 x PAN, 2 x MNT, 10 x PSN) distributed deployment across 5 countries. Main purpose is to authenticate wireless user and do posture validation. No guest access. Hardware is 33XX series. So the supported version is till 1.4.

ISE 2.0 onwards cannot support 33xx series hardware. You are right on the EOS of 1.3. My best bet now is to upgrade to 1.4.

Regards &

Have a nice day

paul · ‎09-27-2017

If you are using the upgrade process you shouldn't have to worry about licensing as it should carry through the upgrade process. I don't do the upgrade process normally. I would have rebuilt the nodes fresh as 1.3, restored the 1.2 backup, rehosted licenses and gone from there.

If you do have any issues with licensing you can simply contact licensing@cisco.com and do a rehost.