Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
973
Views
0
Helpful
4
Replies

ISE 2.2 to 2.6 Upgrade planning questions

franjean47
Level 1
Level 1

‎04-02-2020 04:52 AM

We are in the process of planning the upgrade of our deployment which consists of 2xAdmin,2xMonitoring and 4xServices nodes all SNS-3595-K9.
As this is our first attempt doing an ISE upgrade , we are reviewing all the different methods to do it to determine which will be best suited to our environment. So we have come across some conflicting information that we hope someone would be able to help clarify.

CLI
Cisco CLI Upgrade guides have the following conflicting statement for a distrubuted deployment

Does the below only apply to the Secondary Admin node when starting the upgrade?
---------------------------------------------------------------------------------------------------------
Note
Do not manually deregister the node before an upgrade. Use the application upgrade prepare and proceed
commands to upgrade to the new release. The upgrade process deregisters the node automatically and moves
it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the
license file for the Primary Administration Node before beginning the upgrade process. If you do not have
the file on hand (for example, if your license was installed by a Cisco partner vendor), contact the Cisco
Technical Assistance Center for assistance.
----------------------------------------------------------------------------------------------------------

If your PSN is part of a node group cluster, you must deregister the PSN from the PAN, upgrade it as a standalone node, and register it with the PAN in the new deployment.

This same explicit statement is not given for the Admin and Monitoring nodes, so my understanding is that when using the different upgrade commands the nodes get automatically deregistered, however the fact this is stated for the PSNs is making me somewhat confused.

So which of the below approaches are correct to follow:

1. When doing the upgrade of the PSN is it sufficient to use the application upgrade prepare with a remote repository and application upgrade proceed CLI commands without 1st deregistering the PSN via the PAN GUI. Then register it to the new deployment,after the upgrade has completed successfully, via the Admin GUI?

2. Or do you have to copy the upgrade bundle to the local disk repository via CLI after it was created, deregister the PSN through the Admin GUI and then just run the straight application upgrade command. Then register it to the new deployment, after the upgrade has completed successfully, via the Admin GUI?

3. Is option 1 the correct steps for the Admin and Montoring nodes?
=====================================================================

1.In the both the CLI and GUI can you specify any sequence that the PSNs can be upgraded in even though they may be in different groups?

2.I have seen some conflicting information regarding the recommended of sequence Primary and Secondary MnT so I just need some clarity on what the sequance for them should be? Cisco documentation does state Primary 1st, however I have seen a presentaion from Cisco Live where a slide shows Secondary 1st.

The current proposed sequence we would like to use is as follows:

a SAN
b Primary MnT
c PSN2 in Group 1
d PSN2 in Group 2
e PSN1 in Group 1
f PSN1 in Group 2
g Secondary MnT
h PAN


Any assistance with the above with be greatly appreciated.

Kind regards
Francois

0 Helpful
4 Replies 4

Anurag Sharma
Cisco Employee
Cisco Employee

‎04-15-2020 08:42 AM

Hi @franjean47 ,

The order is correct:

a SAN
b Primary MnT
c PSN2 in Group 1
d PSN2 in Group 2
e PSN1 in Group 1
f PSN1 in Group 2
g Secondary MnT
h PAN

 

You do not have to deregister any node (unless there are issues during/after upgrade). Just run a URT before you actually do the upgrade. Follow the aforementioned sequence from the CLI (my personal preference). Once you get the SAN upgraded, the probability of running into issues goes down a lot.

But please do run the URT tool - ise-urtbundle-2.6.0.156-1.0.0.SPA.x86_64.tar.gz (available at ISE 2.6 downloads page).

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Anurag Sharma

‎04-15-2020 03:13 PM

One caveat to note... as stated in the ISE 2.6 Upgrade Guide (Step 3):

"If your PSN is part of a node group cluster, you must deregister the PSN from the PAN, upgrade it as a standalone node, and register it with the PAN in the new deployment."

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Greg Gibbs

‎04-15-2020 03:31 PM

I'm curious on this one, I saw it the other day while looking for something else. I've actually never done this during an upgrade and wonder why it's listed as a caveat.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Damien Miller

‎04-15-2020 04:32 PM

Hi @Damien Miller,

This has long been a documented caveat in the upgrade guides and I have seen first-hand on a customer upgrade in the past (ISE 2.1 -> 2.3, if I remember correctly) where the upgrade failed on the PSNs because they were part of a Node Group.

I did some testing at the time by first removing them from the Node Group and then trying the upgrade, but it failed in the same spot (PSN joining the new PAN, I believe). It appeared to me that there was some linkage in the DB when the PSN joins the Node Group that just does not clear cleanly.

It's been a while since I have done an upgrade on a fully distributed cluster but, AFAIK, this is still the recommended process for PSNs in a Node Group.

0 Helpful
Customers Also Viewed These Support Documents