Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE 2.6 Patch 6 Rebuild on VM with plan to upgrade to 2.7 in the near future

Hi Team,


I'm fairly new to the ISE world but wondering if I can get some help here. Currently we have 2 ISE nodes deployment (primary and secondary PAN/MNT) on a VM and for some reason the secondary ISE went down and will be needing a rebuild. We are planning to upgrade to 2.7 before this happened. 


Question: Is there any recommended approach with this kind of scenario? Basically the plan would automatically to make secondary ISE  rebuild (restore backups,restore certificates, etc.) and into what version? Would you think it's a good idea to re-build the secondary to 2.7? Well for what I understand, if we do this it will not be able to join the deployment and if we plan to upgrade the primary to 2.7 then it will have more downtime since the secondary is still not joined. Am I correct? Any suggestions?


Thank you.

Rising star

When you say the secondary node went down, what do you mean? it crashes if you try to power it on? one thing to keep in mind is that you can reset ISE application using the command application reset-config ise which will reset ISE application keeping the certs and the node networking configs. Regarding upgrading the new node to version 2.7, although you could do this, however, in this case you would need to configure this new node as a standalone node as you can't mix versions within same deployment, so you need to configure everything on it as I don't believe you can restore the backup from taken from a different version, and you also need to import the certs. Then once the new node is completely configured, you need to change the order of the RADIUS/TACACS servers on the NADs to point to it, that's to allow you to start upgrading the other node to version 2.7. Once that is upgraded you need to form the deployment, and change back the RADIUS/TACACS servers order on the NADs. As you can see there is no advantage in doing this, and it actually introduce some unnecessary works. Best approach would be to rebuild the new node with the same exact version and patch as the existing one. Join it to the deployment, wait for them to synch up, and then, you can undertake the upgrade process to version 2.7 which will bring both of them to that version with minimum downtime, as it will always start with the secondary PAN, and won't go ahead upgrading the primary PAN unless the secondary PAN has been successfully upgraded and promoted to be the new primary.


Hi @Aref Alsouqi Thanks for your inputs. That makes sense. The secondary node is completely dead and no way we can restart application services and no other option but to rebuild. I just also received advice from TAC that we can restore backup config from older version to a new version when rebuilding the secondary node. So I think it would be easier now that we don't have to do the configuration manually on the new ISE node. 

Content for Community-Ad