Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
5
Helpful
2
Replies

ISE 2.4 Upgrade Time

helalaou
Cisco Employee
Cisco Employee

‎05-24-2019 07:43 AM

Hi,

My customer needs to upgrade their distributed ISE deployment from ISE 2.3 to 2.4. They say that the upgrade time described in our upgrade guide requires very long maintenance/downtime windows: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/upgrade_guide/b_ise_upgrade_guide_24/b_ise_upgrade_guide_24_chapter_00.html#reference_B620AA67DB594580B28983A4AFE8C620

Do we have any detailed upgrade plan for distributed ISE deployments that could minimize the downtime ? Any suggestions/recommendations ?

Many thanks,

Hicham

0 Helpful
2 Replies 2

Jason Kunst
Cisco Employee
Cisco Employee

‎05-24-2019 09:07 AM

Recommend look over this

https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934

They can do what’s called a split upgrade . Upgrade half or portion of the nodes. Validate them and at later time cut the others over.

This way you get time to test validate environment and move it in more relaxed manner. Also make sure they use the upgrade readiness tool.

Some partners will also recommend just building your PSN nodes fresh and add them to deployment instead of wasting time upgrading them.
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-24-2019 09:13 AM

I suppose it is a coincidence that I am checking the forums as I wait for my transition from 2.3 -> 2.4 and stumbled upon this post. Here is my scenario:
Was running 2.3p5
Planning on getting to 2.4p5
2 PANs 2 PSNs
A few weeks ago I ran the URT and it estimated 7-8 hours. This morning once I got the bundle and everything squared away on my linux repo the PAN GUI stated for all 4 nodes it would take 960 minutes (16 hours), which is false. Ensure your customer has, at a minimum, configuration backups prior to doing anything. Also, I recommend performing the upgrade via CLI. I had issues with the GUI this morning due to some expired certs and other issues. Make sure name lookups work as well. The move I performed for the 4 nodes is as follows:
move secondary PAN to 2.4.x (now is the new PAN until later on)
move PSN1 to 2.4.x (during this move PSN2 with the original PAN will still be servicing requests)
Ensure that PSN1 is functioning as expected for policy services requests by checking radius live logs on secondary PAN on 2.4.x which actually gets promoted to PAN
Once that is confirmed, move PSN2 to 2.4.x and the new 2.4 cluster (now PSN1 is servicing all NAD requests)
Finally, move original PAN; Once moved over promote to primary again;
Apply whatever patch, if necessary after bundle upgrade success
If applying patches, it should take maybe an hour depending on the size of course.

If your NADs are configured to utilize the distributed deployment there should be no outages if things transition smoothly. A workaround, peace of mind, could be having your customer extend the reauthentication timers in the authorization profiles to something like 15 hours, ensuring hosts authenticated and will not reauthenticate again for X amount of time. This could potentially help them if they encountered issues with both PSNs during the transition. Keep in mind that each deployment scenario are unique, but this general approach should be similar. Good luck & HTH!
Customers Also Viewed These Support Documents