Showing results for 
Search instead for 
Did you mean: 

ISE CLI 2.7 upgrade, node-group and PSN deregistration

Cisco Employee
Cisco Employee

Hi team,


Looking for a confirmation to help a customer and partner for an upgrade. The customer has 8 PSNs that are being load-balancers and part of a node-group and the partner is looking at using the CLI upgrade process.


The upgrade documentation and best practices documents indicate that if the PSN is part of a node-group, then it has to be deregistered, upgraded as standalone and then re-registered.


From what I understand, the "application upgrade proceed" command will do exactly this i.e. de-register the PSN, upgrade it and re-join it to the new primary PAN so are there additional considerations in this when upgrading PSNs part of a node-group vs PSNs not part of a node-group?



3 Replies 3

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

I know this is stated in the upgrade guide, however I have never done it while inline upgrading nodes from 2.x to 2.x. Having nodes in nodes groups has not caused me any grief.
I now just stage the upgrade file locally on the nodes disk, point a repo to it, then run "upgrade application <upgrade file name> <repo name>. No upgrade prepare or proceed at all. 

Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor


 the Upgrade Documentation says:


"...If your PSN is part of a Node Group Cluster, you must deregister the PSN from the PAN, upgrade it as a standalone node, and register it with the PAN in the new deployment..."


On the other hand the application upgrade proceed command:

. deregister the PSN from the PAN (STEP 4)

. register it with the PAN in the new deployment (STEP 6)

. upgrade the Node (STEP 9


ise/admin# application upgrade proceed 
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
STEP 1: Stopping ISE application...
STEP 2: Verifying files in bundle...
-Internal hash verification passed for bundle
STEP 3: Validating data before upgrade...
STEP 4: De-registering node from current deployment.
STEP 5: Taking backup of the configuration data...
STEP 6: Registering this node to primary of new deployment...
STEP 7: Downloading configuration data from primary of new deployment...
STEP 8: Importing configuration data...
STEP 9: Running ISE configuration data upgrade for node specific data...
STEP 10: Running ISE M&T database upgrade...
Stopping ISE Monitoring & Troubleshooting Log Processor...
ISE database M&T schema upgrade completed.
% NOTICE: The appliance will reboot twice to upgrade software and ADE-OS. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to complete.
Rebooting to do Identity Service Engine upgrade...


This is the difference.


Hope this helps.


Greg Gibbs
Cisco Employee
Cisco Employee

I don't know if something has changed in the more recent versions of ISE, but the last time I attempted to upgrade an ISE cluster (I believe it was 2.1 -> 2.3, maybe) that had PSNs configured in Node Groups, the upgrade of the PSNs failed. From memory, the auto de-registration from the old PAN works fine, but when it tries to register the PSN with the new PAN, it fails due to the linkage with the Node Group assignment. The PSN then ends up failing the upgrade and re-registering with the old PAN.

As this step is still in the Upgrade Guide for ISE 2.7, I would suggest following that to reduce the chance of any issues.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers