Solved: Re: ISE 2.2 patch 10 upgrade

bryantsteve · ‎01-25-2019

My ISE two node deployment is currently version 2.1.0 Patch 3, I need to upgrade to version 2.2.0 patch 10 my primary question is can I go directly to patch 10 after upgrading to version 2.2 and secondly ISE upgrades never go smoothly for me so input on any issues or cautionary notes would be gratefully accepted

Damien Miller · ‎01-25-2019

So a couple discussion items here. If I was moving to 2.2, I would go to patch 13, and not patch 10. Unless there is a specific bug/issue you are aware of that impacts you in the most recent patch for the train, it would be the most stable. There are a significant number of issues fixed in patch 11, 12 that patch 13 includes.

Another thought, 2.4 p5 is considered a stable and recommended release by the ISE BU. The level of effort to go from 2.1 to 2.2 or 2.4 is the same so I would suggest looking at upgrading to 2.4.

If viable, what I like to do is stand up a QA environment. Restore the production backup to this QA environment and run through production tests. This could be building out on 2.1, running the URT, upgrading, then testing. Or it could be building out on the future version, restoring the backup, and testing. Either way, this can give some peace of mind but not everyone has the resources to do this. u

Most of the upgrades I help plan include manually running the upgrade bundle from the CLI. I'm not a fan of the GUI as it does not provide granular enough control over the process. The upgrade procedure I like to follow goes like this.

Option 1
1. Run URT and confirm upgrade will succeed, open TAC case and work through this if not.
2. Deploy new version PAN and MNT VM's, staged at setup script state.
3. Deregister Secondary PAN and MNT
4. Run setup script on new PAN, reusing old IP's and hostnames. Restore the production backup and patch.
5. Run setup script on new MNT, reusing old IP's and hostnames, patch, and register.
6. Deregister a psn at a time, either levering newly deployed vm's, or upgrading the existing with the upgrade bundle via the CLI.

The process changes a bit for with SNS hardware appliances or when reusing all VM's. If reusing the existing SNS appliances or upgrading all VM's then you just upgrade them all via the bundle. I like using new VM's if the space is available. By splitting the deployment in two, you have an existing old deployment running in a well known state, and you have a second new deployment that you can test on, pause any time, or roll back.

There is an upgrade guide for every version that goes through the process, this one is for 2.4.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_00.html

View solution in original post

marce1000 · ‎01-25-2019

>....for me so input on any issues or cautionary notes would be gratefully accepted

- Well you said it there for sure, many people never upgrade ISE according to the normal procedures, because of possible breaking of a production environment. As of us too , we install the intended version from a new deployment and then in the switches switch over to the new PSN's when the new ISE's are ready. There are variant ways of achieving this I presume , the most cumbersome a complete from-zero configuration. It took me a bit longer , but I at least I kept my job....

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Damien Miller · ‎01-25-2019

So a couple discussion items here. If I was moving to 2.2, I would go to patch 13, and not patch 10. Unless there is a specific bug/issue you are aware of that impacts you in the most recent patch for the train, it would be the most stable. There are a significant number of issues fixed in patch 11, 12 that patch 13 includes.

Another thought, 2.4 p5 is considered a stable and recommended release by the ISE BU. The level of effort to go from 2.1 to 2.2 or 2.4 is the same so I would suggest looking at upgrading to 2.4.

If viable, what I like to do is stand up a QA environment. Restore the production backup to this QA environment and run through production tests. This could be building out on 2.1, running the URT, upgrading, then testing. Or it could be building out on the future version, restoring the backup, and testing. Either way, this can give some peace of mind but not everyone has the resources to do this. u

Most of the upgrades I help plan include manually running the upgrade bundle from the CLI. I'm not a fan of the GUI as it does not provide granular enough control over the process. The upgrade procedure I like to follow goes like this.

Option 1
1. Run URT and confirm upgrade will succeed, open TAC case and work through this if not.
2. Deploy new version PAN and MNT VM's, staged at setup script state.
3. Deregister Secondary PAN and MNT
4. Run setup script on new PAN, reusing old IP's and hostnames. Restore the production backup and patch.
5. Run setup script on new MNT, reusing old IP's and hostnames, patch, and register.
6. Deregister a psn at a time, either levering newly deployed vm's, or upgrading the existing with the upgrade bundle via the CLI.

The process changes a bit for with SNS hardware appliances or when reusing all VM's. If reusing the existing SNS appliances or upgrading all VM's then you just upgrade them all via the bundle. I like using new VM's if the space is available. By splitting the deployment in two, you have an existing old deployment running in a well known state, and you have a second new deployment that you can test on, pause any time, or roll back.

There is an upgrade guide for every version that goes through the process, this one is for 2.4.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_00.html

bryantsteve · ‎01-25-2019

Damien thank you for the excellent response, I chose 2.2 to be consistent as I have two other deployments running this version. Just one point I want to make sure I'm clear on, for the patches (I'll likely take you suggestion and go with 13) there is not a prerequisite patch, after upgrade I can proceed with applying patch 10/13, correct?

sgs ise · ‎01-27-2019

There are a significant number of issues fixed in patch 11, 12 that patch 13 includes.

Hi Damien,

We have received recent security updates vulnerability, and our ISE is using 2.2.0.470 patch 5,12, the link below is saying that I should have a patch 10 to address the issue. but since the device already has patch 12, then I think it is not necessary to apply patch 10 on it, right?. I attached the image of the Cisco ISE device.

Security advisory reference:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-ise-privilege

Regards,

Ben