Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1631
Views
5
Helpful
4
Replies

ISE 2.2 patch 10 upgrade

Go to solution
bryantsteve
Level 1
Level 1

‎01-25-2019 06:59 AM

My ISE two node deployment is currently version 2.1.0 Patch 3, I need to upgrade to version 2.2.0 patch 10 my primary question is can I go directly  to patch 10 after upgrading to version 2.2 and secondly ISE upgrades never go smoothly for me so input on any issues or cautionary notes  would be gratefully accepted

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-25-2019 11:03 AM - edited ‎01-25-2019 12:10 PM

So a couple discussion items here. If I was moving to 2.2, I would go to patch 13, and not patch 10. Unless there is a specific bug/issue you are aware of that impacts you in the most recent patch for the train, it would be the most stable. There are a significant number of issues fixed in patch 11, 12 that patch 13 includes.

Another thought, 2.4 p5 is considered a stable and recommended release by the ISE BU. The level of effort to go from 2.1 to 2.2 or 2.4 is the same so I would suggest looking at upgrading to 2.4.

If viable, what I like to do is stand up a QA environment. Restore the production backup to this QA environment and run through production tests. This could be building out on 2.1, running the URT, upgrading, then testing. Or it could be building out on the future version, restoring the backup, and testing. Either way, this can give some peace of mind but not everyone has the resources to do this. u

Most of the upgrades I help plan include manually running the upgrade bundle from the CLI. I'm not a fan of the GUI as it does not provide granular enough control over the process. The upgrade procedure I like to follow goes like this.

Option 1
1. Run URT and confirm upgrade will succeed, open TAC case and work through this if not.
2. Deploy new version PAN and MNT VM's, staged at setup script state.
3. Deregister Secondary PAN and MNT
4. Run setup script on new PAN, reusing old IP's and hostnames. Restore the production backup and patch.
5. Run setup script on new MNT, reusing old IP's and hostnames, patch, and register.
6. Deregister a psn at a time, either levering newly deployed vm's, or upgrading the existing with the upgrade bundle via the CLI.

The process changes a bit for with SNS hardware appliances or when reusing all VM's. If reusing the existing SNS appliances or upgrading all VM's then you just upgrade them all via the bundle. I like using new VM's if the space is available. By splitting the deployment in two, you have an existing old deployment running in a well known state, and you have a second new deployment that you can test on, pause any time, or roll back.

There is an upgrade guide for every version that goes through the process, this one is for 2.4.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_00.html

View solution in original post

4 Replies 4

Go to solution
marce1000
VIP
VIP

‎01-25-2019 08:12 AM

 

>....for me so input on any issues or cautionary notes  would be gratefully accepted

- Well you said it there for sure, many people never upgrade ISE according to the normal procedures, because of possible breaking of a production environment. As of us too , we install  the intended version  from a new deployment and then in the switches  switch over to the new PSN's when the new ISE's are ready. There are variant ways of achieving this I presume , the most cumbersome a complete from-zero configuration. It took me a bit longer , but I at least I kept my job....

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-25-2019 11:03 AM - edited ‎01-25-2019 12:10 PM

So a couple discussion items here. If I was moving to 2.2, I would go to patch 13, and not patch 10. Unless there is a specific bug/issue you are aware of that impacts you in the most recent patch for the train, it would be the most stable. There are a significant number of issues fixed in patch 11, 12 that patch 13 includes.

Another thought, 2.4 p5 is considered a stable and recommended release by the ISE BU. The level of effort to go from 2.1 to 2.2 or 2.4 is the same so I would suggest looking at upgrading to 2.4.

If viable, what I like to do is stand up a QA environment. Restore the production backup to this QA environment and run through production tests. This could be building out on 2.1, running the URT, upgrading, then testing. Or it could be building out on the future version, restoring the backup, and testing. Either way, this can give some peace of mind but not everyone has the resources to do this. u

Most of the upgrades I help plan include manually running the upgrade bundle from the CLI. I'm not a fan of the GUI as it does not provide granular enough control over the process. The upgrade procedure I like to follow goes like this.

Option 1
1. Run URT and confirm upgrade will succeed, open TAC case and work through this if not.
2. Deploy new version PAN and MNT VM's, staged at setup script state.
3. Deregister Secondary PAN and MNT
4. Run setup script on new PAN, reusing old IP's and hostnames. Restore the production backup and patch.
5. Run setup script on new MNT, reusing old IP's and hostnames, patch, and register.
6. Deregister a psn at a time, either levering newly deployed vm's, or upgrading the existing with the upgrade bundle via the CLI.

The process changes a bit for with SNS hardware appliances or when reusing all VM's. If reusing the existing SNS appliances or upgrading all VM's then you just upgrade them all via the bundle. I like using new VM's if the space is available. By splitting the deployment in two, you have an existing old deployment running in a well known state, and you have a second new deployment that you can test on, pause any time, or roll back.

There is an upgrade guide for every version that goes through the process, this one is for 2.4.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_00.html

Go to solution
bryantsteve
Level 1
Level 1
In response to Damien Miller

‎01-25-2019 11:26 AM

Damien thank you for the excellent response, I chose 2.2 to be consistent  as I have two other deployments running this version.   Just one point I want to make sure I'm clear on, for the patches (I'll likely take you suggestion and go with 13) there is not a prerequisite  patch, after upgrade I can proceed with applying  patch 10/13, correct?

 

0 Helpful

Go to solution
sgs ise
Level 1
Level 1
In response to Damien Miller

‎01-27-2019 01:07 AM

There are a significant number of issues fixed in patch 11, 12 that patch 13 includes.

Hi Damien,

 

We have received recent security updates vulnerability, and our ISE is using 2.2.0.470 patch 5,12, the link below is saying that I should have a patch 10 to address the issue. but since the device already has patch 12, then I think it is not necessary to apply patch 10 on it, right?. I attached the image of the Cisco ISE device.

 

Security advisory reference:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege

 

Regards,

Ben

Preview file
24 KB
0 Helpful
Customers Also Viewed These Support Documents