cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2722
Views
10
Helpful
10
Replies

ISE 2.0 to 2.1 Upgrade

Roger Base
Level 1
Level 1

Hi Forum. I have 8 ISE nodes. This includes dedicated primary and secondary admin and monitoring nodes and rest are PSN nodes. I want to upgrade from 2.0 to 2.1. But I am unsure how this be accomplished and which order. Does anybody have experiences upgrade from 2.0 to 2.1 with distributed deployment ?

2 Accepted Solutions

Accepted Solutions

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi,

To upgrade your deployment with minimum possible downtime while providing maximum resiliency and ability to roll back, the upgrade order should be as follows:

1. Secondary Administration Node (the Primary Administration Node at this point remains at the previous version and can be used for rollback, if upgrade fails.


2. Primary Monitoring Node


3. Policy Service Nodes


At this point, verify if the upgrade is successful and also run the network tests to ensure that the new deployment functions as expected. See Verify the Upgrade Process for more information. If the upgrade is successful, proceed to upgrade the following nodes:


4.Secondary Monitoring Node


5. Primary Administration Node


Re-run the upgrade verification and network tests after you upgrade the Primary Administration Node.

Please follow the below guide for reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/upgrade_guide/b_ise_upgrade_guide_21/b_ise_upgrade_guide_21_chapter_011.html#ID20

Regards

Gagan

PS: rate if it helps!!!!

View solution in original post

The official upgrade guide instructs us thus:

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and  power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.

Source: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/upgrade_guide/b_ise_upgrade_guide_21/b_ise_upgrade_guide_21_chapter_01.html#id_18074

Either of those two NIC type is fine. Some shops prefer one vs the other for their own reasons.

View solution in original post

10 Replies 10

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi,

To upgrade your deployment with minimum possible downtime while providing maximum resiliency and ability to roll back, the upgrade order should be as follows:

1. Secondary Administration Node (the Primary Administration Node at this point remains at the previous version and can be used for rollback, if upgrade fails.


2. Primary Monitoring Node


3. Policy Service Nodes


At this point, verify if the upgrade is successful and also run the network tests to ensure that the new deployment functions as expected. See Verify the Upgrade Process for more information. If the upgrade is successful, proceed to upgrade the following nodes:


4.Secondary Monitoring Node


5. Primary Administration Node


Re-run the upgrade verification and network tests after you upgrade the Primary Administration Node.

Please follow the below guide for reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/upgrade_guide/b_ise_upgrade_guide_21/b_ise_upgrade_guide_21_chapter_011.html#ID20

Regards

Gagan

PS: rate if it helps!!!!

Hi again, If I use the GUI to upgrade. Can I just mark all 8 nodes and start the upgrade? Will it then start upgrading all 8 nodes at the same time?

I saw that I should change NICcard type and to RedHat OS version 7 when running on Wmware. Should I change this before or after the upgrade ?

The GUI tool will sequence the upgrade per the recommended order in the installation and upgrade guide. You have the option to tweak it - e.g. for PSNs in a fully distributed deployment.

The one old one that I upgraded, I changed the NIC types prior to upgrade.

That is correct. So I will need to power off the hosts one by one prior upgrade to change NIC types and to Guest Operating System to RHEL 7?

What confused me most are this part from the documentation "Release 2.1 supports Red Hat Enterprise Linux (RHEL) 7.0" Is RHEL 7.0 requirement or just a option ?? (iam using version 6) and should I pick any special NIC card ?

If the upgrade success. Will I then loose anything from the old stuff like certificates or Internal CA or integration to AD/LDAP ?

I changed the NIC types prior to upgrade (VM power down, change type and power on). The Guest OS is more cosmetic and I didn't bother changing that.

You will not lose certificates or Internal CA.

AD/LDAP connection may break (not always). Cisco recommends you check that and rejoin the domain if necessary. If you are using a service account per best practices you might want to make sure you have those credentials on hand before starting.

Even if AD connection breaks, all of your policies etc that use objects from that remain unaffected. You just need to make sure the connection is live post-upgrade. For a distributed deployment, that is as soon as the original deployment Secondary PAN upgrades and becomes the first member in the upgraded deployment.

Thank you Marvin. I updated my post while you replied me :)

I guess I only miss reply for this one.

What type of NIC card should I pick from list?

The official upgrade guide instructs us thus:

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and  power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.

Source: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/upgrade_guide/b_ise_upgrade_guide_21/b_ise_upgrade_guide_21_chapter_01.html#id_18074

Either of those two NIC type is fine. Some shops prefer one vs the other for their own reasons.

So, with my 2.0 ISE i am already setup for VMXNET 3 which means i do not have to do anything?

Thank you

CCIE 18676

Marvin Rhoads
Hall of Fame
Hall of Fame

2.0 to 2.1 supports the GUI-based upgrade. I have used it to great success in a distributed deployment - also coincidentally 8 nodes.

The upgrade GUI will suggest the Cisco-recommended upgrade order and then, once you accept that, perform all the necessary steps through to completion.

If it encounters any errors, it will halt and give you additional information according to the error encountered.

Patrick Meyer
Level 1
Level 1

I wanted to share my experience as well. I have had one customer who only used one single ISE VM, where Upgrade went straight forward (through CLI) from Version 2.0 to 2.1. 

Another Customer now, with four Hardware-Nodes (3415) also wanted to upgrade from 2.0 to 2.1 and either way (GUI or CLI) as well as application upgrade prepare-proceed / application upgrade failed due to bug CSCva44235. It seems random as to which appliances/ VMs are affected but the only workaround is to re-image and restore a backup. Just to inform folks if they are planning to upgrade, to also prepare the ISO image/ OVA file to "failover" to re-imaging their appliance.

regards, 

Patrick