Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
4
Helpful
9
Replies

ISE cluster upgrade

manvik
Level 3
Level 3

‎05-29-2024 05:59 AM

ISE nodes in DC and DR plus a monitoring node. DC & DR node runs admin, policy service in single node. Currently version 3.2, what's the procedure to upgrade to 3.3 in this scenario. 
Should we upgrade node one-by-one.

0 Helpful
9 Replies 9

Ben Walters
Level 3
Level 3

‎05-29-2024 09:02 AM

There are a number of steps required for an ISE upgrade and it really depends on your node setup.

If you have a look at this guide: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/upgrade_guide/Upgrade_Journey/PDF/b_ise_upgrade_guide_3_3_pdf.pdf 

Starting on page 21 it will go over the process and it has the upgrade order for all different types of deployment, just choose the one that matches your setup and follow that. 

 

ahollifield
VIP
VIP

‎05-29-2024 09:59 AM

What type of deployment is this?  Small medium or large?  It sounds to me like this is not supported deployment.  What roles are on each node?  How many nodes?

manvik
Level 3
Level 3
In response to ahollifield

‎06-02-2024 09:53 PM

@ahollifield it's a small deployment. Each ISE VM has policy, admin node. ISE used only for Tacacs authentication. The tac says upgrade can be done from ISE 3.2 to 3.3.

0 Helpful

ahollifield
VIP
VIP
In response to manvik

‎06-03-2024 05:12 AM

Got it, so only two nodes then?

0 Helpful

manvik
Level 3
Level 3
In response to ahollifield

‎06-03-2024 06:53 AM

Yes, two nodes + one for dedicated monitoring (MnT).

0 Helpful

ahollifield
VIP
VIP
In response to manvik

‎06-03-2024 07:00 AM

Huh?  This is not a supported deployment type.  How many nodes total?  Three? 

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

0 Helpful

Marcelo Morais
VIP
VIP

‎05-29-2024 01:48 PM

Hi @manvik ,

1st to get the software: ISE Software Download.

2nd check your ISE 3.2 Patch number ... remember that ISE 3.3 has parity with ISE 3.2 Patch 2.

3rd you will upgrade your ISE Cluster first to ISE 3.3 and next to ISE 3.3 Patch 2 (the latest version of ISE 3.3)

4th use the URT (Upgrade Readiness Tool) to validate Config DB upgrade from 3.2 to 3.3 (file ise-urtbundle-3.3.0.430a-1.0.0.SPA.x86_64.tar.gz)

5th you can upgrade via CLI or GUI (check the Cisco ISE Journey for Release 3.3) and choose your upgrade sequence of the Nodes, please take a look at:

ISE Upgrade Journey 3.3.png

 

Hope this helps !!!

manvik
Level 3
Level 3

‎06-03-2024 12:06 AM

Thank you @Marcelo Morais  and @Ben Walters the TAC says upgrade can directly be done to version 3.3. I am planning to do so.
Most of the ISE upgrade documents were mentioning to detach ISE node from cluster before upgrade, then perform upgrade.
I understand it's not required. If upgrading OS first upgrade secondary ISE VM, then primary. 
If upgrading patch first primary then secondary ISE VM.

0 Helpful

Marcelo Morais
VIP
VIP
In response to manvik

‎06-03-2024 08:01 AM

Hi @manvik ,

 if you "detach" ISE Node (de-register the Secondary Node from Primary), your Small Deployment will become two Standalone Deployment., after that you are able to upgrade one Standalone Deployment to ISE 3.3 Patch 2 and double check if everything is fine before upgrade the other Standalone Deployment.

Hope this helps !!!

Customers Also Viewed These Support Documents