Solved: ISE 2.7 VM to 3.3 upgrade

RamsesDE · ‎10-24-2024

Hi all,

Wondering what is the best way to upgrade ISE VM's (PAN/PSN and SAN/PSN) from 2.7 to 3.3 patch 3.

I'm planning to do Backup&Restore method into 2 new VM's (assign temp IP addresses then change these to the production ones, when finished).

Should we perform this in a 2-staged upgrade (2.7->3.2 then 3.2->3.3)? or can we restore the 2.7 backup directly to 3.3?

No use for profiling, BYOD or posture (just features covered by Essential licenses )

Certificates will be re-imported and AD Joints restored later on.

Do we generally do the Restore before or after the Patch install?

Appreciate your feedback

ahollifield · ‎10-24-2024

https://community.cisco.com/t5/security-knowledge-base/ise-version-upgrade-matrix/ta-p/3653501

View solution in original post

Aref Alsouqi · ‎10-24-2024

I would do it in the same way as you mentioned by spinning up two new nodes with ISE 3.3 installed, and then import the config backup. Importing the config backup would be done at the very end after ISE 3.3 latest patch has been installed. The certificates would be included in the backup, but as a best practice I would recommend exporting them from the current ISE deployment just in case. One thing to keep in mind is that with ISE 3.3 the licensing model has changed compared to version 2.7. With ISE 3.3 we can't use the traditional licenses any longer and we have to use smart licensing. Because of this you would need to engage with Cisco licensing team asking them to convert your traditional licenses to the new formatting. If you are using smart licensing in ISE 2.7 you still need to engage with Cisco licensing team to convert the old licenses to the new ones (R-ISE-VMC-K9). Usually Cisco licensing team issues a new temporary licenses set to be used in your current ISE deployment to allow you some time to migrate from 2.7 to 3.3 without any disruption. Once that grace period of of the temporary licenses expires the temporary licenses will be removed and you will only find the new licenses into your smart account. Also, please keep in mind that if you want to restore the underlying configs such as IP addressing then you can use the keyword "include-adeos" to the "restore" command in CLI.

RamsesDE · ‎10-24-2024

Hi Aref,

Thank you for the feedback.

The licensing has been taken care of (purchased new ones, since last date of conversion has already expired).

AFAIK, the ISE certificates themselves are not included in the backup and need to be re-imported with their private keys (from a previous export).

So you agree on getting directly to 3.3p3 for the restore without passing through 3.2?

thx again

ahollifield · ‎10-24-2024

https://community.cisco.com/t5/security-knowledge-base/ise-version-upgrade-matrix/ta-p/3653501

RamsesDE · ‎10-25-2024

Thank you Ahollifield,

That matrix confirms that I need to perform a 2-staged install if using Backup&Restore. I will do 2.7->3.x (0,1 or 2) then 3.x->3.3

Thank you all

Aref Alsouqi · ‎10-25-2024

Hi. Just to clarify what I was referring to wasn't an upgrade approach, it was instead spinning up new VMs with ISE 3.3 and then import the ISE 2.7 backup on them. This is basically a parallel deployment to your existing one, not an actual upgrade and this is what we refer to as "Backup & Restore" approach. However, if you want to upgrade the existing 2.7 to 3.3 then as shown in the link shared by @ahollifield you have to go to 3.2 first and then to 3.3 and in that case you don't have to rely on the "Backup & Restore" as the upgrade will be done on top of the existing config you have in 2.7. Regarding the certificates, I'm pretty sure I'd gone through some investigation a few years back and found out that when you do the config backup ISE includes the certificates in the backup, I could be wrong, but this is what I remember.