Re: ISE 2.6 vs 2.7 lifecycles

andy!doesnt!like!uucp · ‎10-11-2020

Hello

i'm trying to define titled SUBJECT but have difficulties with revealing any of the start/intermediate points for each of products (i.e. FCS/EoL-notice etc). The target goal is to compare the dates of EoSupport & to make a decision which version is better to upgrade current deployment from STR/LTR perspective.

Can anybody here help me?

Leo Laohoo · ‎10-11-2020

The place where I work use ISE 2.6 and I can recommend, with overwhelming confidence, anyone to STAY AWAY FROM ISE 2.6.

andy!doesnt!like!uucp · ‎10-11-2020

Hi Leo

i'm going to correct my activities according to your message. tons of thanks. But could u pls give more details on bad experience with 2.6 & generally what would u suggest to upgrade 2.1 to instead of 2.6? Getting toward 2.7 would expose 2 step upgrade + STR restrictions to lifecycle in this case... i'm a little bit lost.

Leo Laohoo · ‎10-11-2020

Since ISE 2.6, patch 4, it has been nothing but trouble.

@Damien Miller or @Marvin Rhoads may have some opinions about ISE 2.6 vs ISE 2.7.

andy!doesnt!like!uucp · ‎10-11-2020

tnx Leo, so u dont have any advice about what could be the best version to migrate from 2.1?

@Marvin Rhoads @Damien Miller
Guys could u pls help me?

Leo Laohoo · ‎10-11-2020

You asked whether it would be beneficial to upgrade to ISE 2.6 or ISE 2.7. My response is "avoid ISE 2.6". This leaves ISE 2.7 the "last man standing".

andy!doesnt!like!uucp · ‎10-11-2020

Ok... Lets relax the restrictions from being "either 2.6 or 2.7"? what would u suggest then?

& last Q pls: have u achieved any improvements on your 2.6 after patching to ise-patchbundle-2.6.0.156-Patch7-20061206.SPA.x86_64.tar.gz ?

Damien Miller · ‎10-11-2020

This is an opinion, but my feeling right now.

Best stability, 2.4 p13.

Best mix of stability, features, and support life span, 2.7 p2.

Crazy and want some mystery in your life, 3.0.

Looks like you already found it, but every release since 2.4+ is considered a long term support release under the old model. From initial public release you have about four years of support before eos/eol.

I'm taking a couple very large 2.4 ise deployments to 2.7 p2 over the next couple weeks.

andy!doesnt!like!uucp · ‎10-11-2020

tnx Damien,

2.7 therefore. only disadvantage will be 2step upgrade from 2.1

P.S. "Crazy and want some mystery in your life, 3.0."
nice comparison :0D

P.P.S. & good luck with your coming soon migration!

andy!doesnt!like!uucp · ‎10-11-2020

found solution here:

https://community.cisco.com/t5/network-access-control/upgrading-ise-from-2-4-to-2-6-suggestions-and-recommended-patch/m-p/4150927#M562829

2.7 is LTR. meaning no sense to compare to 2.6 from this perspective

Aref Alsouqi · ‎10-11-2020

Personally I think any new release regardless of the version would have some caveats and bugs. For our customers we always go for the latest recommended release by Cisco. As of now, ISE 3.0 is out, however, the gold release is still 2.7. I think as long as you go with the latest patches whether 2.6 or 2.7 you should be good to go. If you want more details, please take a look at the release notes.

marce1000 · ‎10-12-2020

- Check this document too :

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-740738.html

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Arne Bier · ‎10-12-2020

If you ask 100 people you'll most likely get 100 different answers. I had a horrible introduction to ISE 2.7 after I upgraded my rock solid 2.4 - I eventually deleted that VM and installed ISE 2.6 p7 from scratch and rebuilt the entire system in a few hours (wasn't too complex). It's been rock solid (wired and wirelss 802.1X/MAB, TACACS and pxGrid). I don't plan to upgrade because at the moment I don't need any new features.

All new customer jobs are getting 2.7 p2 - so far I have had no complains (similar use cases to mine).

I also did a successful ISE 2.3 to 2.7 upgrade on VMs (we deployed new OVA and then restored the config) - no issues with stability.

I don't know what to say here because we are never talking about the same thing - every customer has potentially different use cases and also carries their own upgrade history with them (and junk lying around on the disk that could cause issues).

Even when I say that I am happy with ISE 2.6 p7, it may be because I have not yet run into bug XYZ, since I have not (and will never) use a certain feature.

There is no substitute for testing. Spin up a VM in the lab and restore your config to see what happens next.

First and foremost Cisco should do the testing so that customers should not have to be the lab rats. Or at least, customers should only be finding those esoteric bugs that Cisco lab testing would not easily find.

Leo Laohoo · ‎10-12-2020

@Arne Bier wrote:

I eventually deleted that VM and installed ISE 2.6 p7 from scratch and rebuilt the entire system in a few hours (wasn't too complex). It's been rock solid

Our biggest mistake was installing Patch 4 of ISE 2.6.

Everything went downhill after that. If ISE 2.6 did not have Patch 4 installed, everything would be fine.

@Arne Bier wrote:

Cisco should do the testing so that customers should not have to be the lab rats.

We are investigating other options. Since using ISE, we really do not "enjoy" finding bugs that were easily reproduceable if any effort in testing was ever conducted in the first place.

andy!doesnt!like!uucp · ‎10-13-2020

i tend to think that having huge base of customers backup&operational-configs around the globe sent to TAC during t/s of customers cases in the past it wouldnt be a problem for Cisco to extend lab-tests of new patches/releases with case of restoring from customer's backups to check everything is going Ok or vice versa.