Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
5
Helpful
2
Replies

ISE 2.6 Patch 6 Rebuild on VM with plan to upgrade to 2.7 in the near future

joseponceiii
Level 1
Level 1

‎11-24-2020 01:49 PM

Hi Team,

 

I'm fairly new to the ISE world but wondering if I can get some help here. Currently we have 2 ISE nodes deployment (primary and secondary PAN/MNT) on a VM and for some reason the secondary ISE went down and will be needing a rebuild. We are planning to upgrade to 2.7 before this happened. 

 

Question: Is there any recommended approach with this kind of scenario? Basically the plan would automatically to make secondary ISE  rebuild (restore backups,restore certificates, etc.) and into what version? Would you think it's a good idea to re-build the secondary to 2.7? Well for what I understand, if we do this it will not be able to join the deployment and if we plan to upgrade the primary to 2.7 then it will have more downtime since the secondary is still not joined. Am I correct? Any suggestions?

 

Thank you.

0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎11-25-2020 01:17 PM - edited ‎11-25-2020 01:17 PM

When you say the secondary node went down, what do you mean? it crashes if you try to power it on? one thing to keep in mind is that you can reset ISE application using the command application reset-config ise which will reset ISE application keeping the certs and the node networking configs. Regarding upgrading the new node to version 2.7, although you could do this, however, in this case you would need to configure this new node as a standalone node as you can't mix versions within same deployment, so you need to configure everything on it as I don't believe you can restore the backup from taken from a different version, and you also need to import the certs. Then once the new node is completely configured, you need to change the order of the RADIUS/TACACS servers on the NADs to point to it, that's to allow you to start upgrading the other node to version 2.7. Once that is upgraded you need to form the deployment, and change back the RADIUS/TACACS servers order on the NADs. As you can see there is no advantage in doing this, and it actually introduce some unnecessary works. Best approach would be to rebuild the new node with the same exact version and patch as the existing one. Join it to the deployment, wait for them to synch up, and then, you can undertake the upgrade process to version 2.7 which will bring both of them to that version with minimum downtime, as it will always start with the secondary PAN, and won't go ahead upgrading the primary PAN unless the secondary PAN has been successfully upgraded and promoted to be the new primary.

joseponceiii
Level 1
Level 1
In response to Aref Alsouqi

‎11-25-2020 07:25 PM

Hi @Aref Alsouqi Thanks for your inputs. That makes sense. The secondary node is completely dead and no way we can restart application services and no other option but to rebuild. I just also received advice from TAC that we can restore backup config from older version to a new version when rebuilding the secondary node. So I think it would be easier now that we don't have to do the configuration manually on the new ISE node. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents