Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
3
Helpful
5
Replies

ISE Small Deployment upgrade

Go to solution
Chess Norris
Level 4
Level 4

‎10-11-2023 12:35 AM

Hello,

I'm planning for upgrading a Small Deployment ISE setup with just a primary and secondary node.

The upgrade will be from ISE 2.7 to 3.2. 

After upgrading the secondary node, do I need to de-register the node from the cluster, or should I turn off failover and promote the secondary node to primary? 

Also, what is the best way to deal with the license transfeer from the old 2.x licenses? Should I prepare to get the new licenses in my smart account before the upgrade or should I ask Cisco to migrate the licenses after the upgrade?

Thanks

/Chess

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to Chess Norris

‎10-12-2023 06:22 AM

The prepare is enough.  In both scenarios the upgrade bundle is copied to the local machine.   Don't forget to the run the URT on the secondary admin node.

Patching no, you patch the PAN first. 

View solution in original post

5 Replies 5

Go to solution
marce1000
VIP
VIP

‎10-11-2023 01:04 AM

 

 - FYI : https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/upgrade_guide/Upgrade_Journey/PDF/b_ise_upgrade_guide_3_2_pdf.pdf

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Chess Norris
Level 4
Level 4
In response to marce1000

‎10-11-2023 11:49 PM

Thanks for the reply. 

I am a bit confused about the "application upgrade prepare" command. According to the upgrade guide, this command will copy the ISE image from the remote repo to the local repo I already created, but when I do a "show <local repo>, I just see some log files there, but no image.

Same if I do dir disk  

I saw an older upgrade instructions where it says

For upgrade, you can copy the upgrade bundle to the Cisco ISE node's local disk using the following command:
copy repository_url/path/ise-upgradebundle-2.x-to-2.7.0.xxx.SPA.x86_64.tar.gz disk:/
For example, if you want to use SFTP to copy the upgrade bundle, you can do the following:
  1. (Add the host key if it does not exist) crypto host_key add host mySftpserver
  2. copy sftp://aaa.bbb.ccc.ddd/ise-upgradebundle-2.x-to-2.7.0.xxx.SPA.x86_64.tar.gz disk:/
  3.  aaa.bbb.ccc.ddd is the IP address or hostname of the SFTP server and ise-upgradebundle-2.x-to-2.7.0.xxx.SPA.x86_64.tar.gz is the name of the upgrade bundle."

 

Should I use the copy command or is the "application upgrade prepare" enough to copy the ISE upgrade bundle to the local repo?

Also how about patching? Should I promote the secondary node to primary after I patch it?

Thanks

/Chess

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Chess Norris

‎10-12-2023 06:22 AM

The prepare is enough.  In both scenarios the upgrade bundle is copied to the local machine.   Don't forget to the run the URT on the secondary admin node.

Patching no, you patch the PAN first. 

Go to solution
Chess Norris
Level 4
Level 4
In response to ahollifield

‎10-12-2023 11:37 PM

Thank you for the confirmation.

/Chess

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎10-11-2023 05:40 AM

https://community.cisco.com/t5/security-knowledge-base/ise-version-upgrade-matrix/ta-p/3653501

Yes you should open a licensing TAC case to migrate your 2.X licenses to 3.X smart licenses.

Customers Also Viewed These Support Documents