Hi Aref,

Thank you for the feedback.

The licensing has been taken care of (purchased new ones, since last date of conversion has already expired).

AFAIK, the ISE certificates themselves are not included in the backup and need to be re-imported with their private keys (from a previous export).

So you agree on getting directly to 3.3p3 for the restore without passing through 3.2?

thx again

Thank you Ahollifield,

That matrix confirms that I need to perform a 2-staged install if using Backup&Restore. I will do 2.7->3.x (0,1 or 2) then 3.x->3.3

Thank you all

Hi. Just to clarify what I was referring to wasn't an upgrade approach, it was instead spinning up new VMs with ISE 3.3 and then import the ISE 2.7 backup on them. This is basically a parallel deployment to your existing one, not an actual upgrade and this is what we refer to as "Backup & Restore" approach. However, if you want to upgrade the existing 2.7 to 3.3 then as shown in the link shared by @ahollifield you have to go to 3.2 first and then to 3.3 and in that case you don't have to rely on the "Backup & Restore" as the upgrade will be done on top of the existing config you have in 2.7. Regarding the certificates, I'm pretty sure I'd gone through some investigation a few years back and found out that when you do the config backup ISE includes the certificates in the backup, I could be wrong, but this is what I remember.

Go 3.2. With latest 3.2 patch.

Hi @lisacoody ,

 beyond what @ahollifield already said ...

 Make sure that you are using the latest Patch of your Release, before any major upgrade:

• ISE 2.7 P10 > ISE 3.2 P7 > ISE 3.3 P6

Make sure that your Hardware is compatible with the new Release:

• please take a look at ISE - What we need to know about SNS / VM > search for Cisco ISE Compatibility

Note:

• ISE 3.3 have parity with ISE 3.2 Patch 2.
• ISE 3.3 P6 is Cisco Suggested Release

Hope this helps !!!

Marcelo,

Thank you very much for taking the time to help me out - your advice is greatly appreciated!

I have a two-node cluster on version 2.7 (patches 2, 4, 9). I've already pre-staged two nodes on version 3.2 (no patches) using the same name, but different (temporary) IP addresses. I'm planning to do a backup and restore upgrade tomorrow. I've run the health check and URT bundle and all looks good. The new nodes are on Nutanix hardware.

The existing cluster does not have P10; should I do install it first? Run the URT bundle again, then take backups once more before restoring on the 3.2 nodes?

The new 3.2 nodes do not have patch 7 installed yet. Can I do that before I restore from backup or should I wait until after the restoration of both nodes is complete?

Thanks in advance!

@lisacoody ,

 keep in mind that if you have a 2-Node Cluster, for ex: Node 1 (PPAN/PMnT/PSN) and Node 2 (SPAN/SMnT/PSN), you can:

• de-register Node 2 from the Cluster
• update to ISE 2.7 P10
• upgrade to ISE 3.2
• update to ISE 3.2 P7
• upgrade to ISE 3.3
• update to ISE 3.3 P6
• test Node 2 with the new Release
  1. If everything is OK, install Node 1 in ISE 3.3 from scratch, update to ISE 3.3 P6 and register it to the Node 2 Cluster
  2. If you have issues, install Node 2 in ISE 2.7 from scratch, update to ISE 2.7 P9 and register it to the Node 1 Cluster

Note: if you have a 3rd Hardware, you can perform all of the above steps without changing your Production environment, untill the last step.

Hope this helps !!!

Thanks for the advice, Marcelo. I hadn't thought about doing it that way before. 

@lisacoody ,

 don't worry ... keep that in mind for next time ...  :  )

Is there anything more I can do for you ?