Solved: ISE 2.6 upgrade via CLI or GUI?

LUCA_ITALY · ‎05-04-2020

i to all,

i'm preparing and upgrade of 2 ADMIN/MNT nodes and 4 PSN.

I check all the items on the checklist and found this:

"When upgrading Cisco ISE using the GUI, note that the timeout for the process is four hours. If the process takes more than four hours, the upgrade fails. If upgrading with the Upgrade Readiness Tool (URT) will take you more than four hours, Cisco recommends that you use CLI for this process."

I run the URT and this is the result.

MNT data is 45 GB, purging this data can reduce upgrade time
valitvaise02(SECONDARY PAP,MNT,PDP,PXG):294
MNT data is 45 GB, purging this data can reduce upgrade time
valitvaise01(PRIMARY PAP,MNT,PDP,PXG):290
MNT data is 45 GB, purging this data can reduce upgrade time
Each PSN(5 if in parallel):60

I already purged the DB, is there a way to reduce the time required? do i have to use CLI?

I also check the following; this means that i cannot use GUI for every upgrade....

Type of Deployment

Node Persona

Time Taken for Upgrade

Standalone

Administration, Policy Service, Monitoring

240 minutes + 60 minutes for every 15 GB of data

In order to purge old data within the upgrade timeout period, follow the steps in the "Purge Older Operational Data"

Distributed

Secondary Administration Node

240 minutes

Policy Service Node

180 minutes

Monitoring

240 minutes + 60 minutes for every 15 GB of data

Mike.Cifelli · ‎05-04-2020

How can i purge alla local logs?
-Administration->System->Logging->Local Log Settings
Do you suggest to use CLI for the upgrade?
-I suggest the CLI for sure. AFAIK if the GUI times out the upgrade will fail.
Another question, i already copy the package on all the nodes. Is the URT taking into account the time to transfer the packages to all the nodes? it is inclued in the estimated upgrade time?
-AFAIK, no. The URT is checking version compatibility, disk space, memory, system, and a few other things. It will clone the existing config database, copy the upgrade files to the bundle, and then performs an upgrade on the cloned db to provide an estimated upgrade time.
See here for some additional help as well:
https://community.cisco.com/t5/network-access-control/ise-2-4-upgrade-time/m-p/3862501#M472686
Do not forget to open a TAC case just in case things go wrong and you need escalated help. Also, ensure that you have at a minimum config data backups. HTH!

View solution in original post

Mike.Cifelli · ‎05-04-2020

Glad to hear that you already used the URT tool. In my experience I typically use CLI for bundle upgrades and rely on GUI for patch updates (for time concerns and honestly just preference). What version are you upgrading from? Here are some additional things you can do that may help with saving time:
-Upgrade all nodes to the latest patch for whatever version you are running prior to beginning any bundle upgrades.
-Operational data purge data (already done according to your statements)
-Review existing policies and rules and remove outdated, and unnecessary policy/rules
-Purge all local logs

LUCA_ITALY · ‎05-04-2020

Thank you MIKE!

We are upgrading from 2.3 to 2.6 and the last patch was installed a few days ago.

Policies should be all used, so i don't think that we can same some space from here...

How can i purge alla local logs?

Do you suggest to use CLI for the upgrade?

Another question, i already copy the package on all the nodes. Is the URT taking into account the time to transfer the packages to all the nodes? it is inclued in the estimated upgrade time?

Mike.Cifelli · ‎05-04-2020

How can i purge alla local logs?
-Administration->System->Logging->Local Log Settings
Do you suggest to use CLI for the upgrade?
-I suggest the CLI for sure. AFAIK if the GUI times out the upgrade will fail.
Another question, i already copy the package on all the nodes. Is the URT taking into account the time to transfer the packages to all the nodes? it is inclued in the estimated upgrade time?
-AFAIK, no. The URT is checking version compatibility, disk space, memory, system, and a few other things. It will clone the existing config database, copy the upgrade files to the bundle, and then performs an upgrade on the cloned db to provide an estimated upgrade time.
See here for some additional help as well:
https://community.cisco.com/t5/network-access-control/ise-2-4-upgrade-time/m-p/3862501#M472686
Do not forget to open a TAC case just in case things go wrong and you need escalated help. Also, ensure that you have at a minimum config data backups. HTH!

Surendra · ‎05-04-2020

URT does not include the time to transfer the file from the repository to the node. My personal preference would be CLI since you can upgrade multiple nodes (PSNs only without any other persona) simultaneously after the Secondary Admin and one of the monitoring nodes are upgraded unlike from GUI. Saves a lot of time.

Damien Miller · ‎05-04-2020

Like Mike and Surendra, I'll also advocate for CLI upgrading and patching. If gives you the control of the process that the GUI can't.

You can save time by leveraging a local disk repository. Stage the upgrade file on the localdisk of each node, create a repository in the GUI that points to it. This way you can stage the file before the upgrade window are not waiting for it to transfer across the network.

LUCA_ITALY · ‎05-04-2020

Thank you to all!!