01-19-2021 05:47 AM
I am standing up ISE 2.7 distributed deployment with 2 PANs 2 MNTs and 6 PSNS
My current ISE deployment is 2.2 . I am in the process of upgrading to 2.7 and I have configured and stood up ISE 2.7 distributed deployment with 2 PANs 2 MNTs and 6 PSNS. ISE 2.7 is still in LAB environment. I restored ISE 2.7 form ISE 2.2 back-up. The issue I am having after I restore is I don’t see any of the nodes on the deployment. the PAN is coming up as standalone. Also when I try to access the nodes individually it appears as it is still in deployment mode. Any help will be appreciated.
01-19-2021 07:26 AM - edited 01-19-2021 08:23 AM
I restored ISE 2.7 form ISE 2.2 back-up. The issue I am having after I restore is I don’t see any of the nodes on the deployment. the PAN is coming up as standalone. Also when I try to access the nodes individually it appears as it is still in deployment mode.
-This is normal behavior. I recently within the last 3ish months went through a cluster migration from 2.4 to 2.7. There are a few things that need to be done, and some items to be aware of. Here is an overview of what I did that worked perfectly fine in regard to a seamless migration (note both old/new clusters are/were virtual). Note that all node hostnames and IPs remained the same*;
On current (old) cluster:
disabled pan failover
promoted pan2 to primary
unjoined pan1 from AD
exported certificates
deregistered pan1 from cluster
enabled nic on new pan1 in 2.7 cluster
shut nics on old pan1 in 2.4 cluster
changed IP address on new pan on nic 1 (services restart)
added nic 2 and added underlay ip address (services restart)
added static routes via CLI for additional nic
started system restore from backup
kicked off restore & successfully worked ~35 minutes
re-joined node to AD
setup node as primary node with right personas
started psn1 migration
exported certs
unjoined ad
deregistered from cluster
shut nics
added nics to new psn1 running 2.7
changed ip addresses and added appropriate static routes
registered with new pan
setup proper personas
synced with new pan
joined to AD
*verified radius live logs to determine it is servicing clients
The process is the same for other nodes. During the migration essentially both cluster old/new PSNs are capable of servicing requests which aides in a seamless migration. Once you have a PSN synced, registered, setup in new cluster that you confirm is capable of servicing requests you can continue migrating old nodes to newly built cluster nodes.
Helpful FYSAs:
-Every IP change restarts services
-Changing personas restarts services
-During upgrade/restore helpful logs can be seen via: #sh logging system ade/ADE.log
Lastly, I would recommend developing a plan that meets your needs and ensures minimum downtime for end users. I also, definitely recommend working with TAC to ensure things are good to go in case you need additional support. Your situation may vary from my experiences, but I wanted to share my process as a cluster migration can be a heavy lift. Take a look at the following (specifically section: Upgrade Cisco ISE Deployment Using Backup and Restore Method (Recommended): Cisco ISE 2.7 Upgrade Guide: Upgrade Method - Cisco
Also see: Cisco ISE & NAC Resources - Cisco Community
HTH& good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide