cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
933
Views
5
Helpful
4
Replies

ISE Upgrade 2.0 to 2.4/2.6

CaPunT
Level 1
Level 1

Hi All

 

We're needing to do an upgrade on a medium-scale distributed deployment 2x PAN with MNT, 8x PSN.

The deployment is currently on 2.0.0.306 (patch 5) and I'm looking for advice on the best way to go about getting it upgraded please.

Ideally we would like to get it to 2.6 to have it as up to date to the Cisco recommended version as possible.

I have been doing a lot of reading and have found multiple options to go about the upgrade:

1) Upgrade 2.0 to version 2.4, then upgrade to 2.6

2) Upgrade 2.0 to 2.1, then upgrade to 2.6

3) As per the advice given by @Arne Bier  in this post, build the env from scratch server by server on either 2.4 or 2.6 (not sure if 2.6 would be possible?)

I am really leaning towards #3, if it can be done. I say if, as I am unsure if it is possible to restore a backup done on v2.0 directly to a server running v2.6 (not possible to test it atm). I also really do not want to deal with upgrade issues... hence #3.

 

What would be your expert opinions please?

Any advice is greatly appreciated!

 

 

 

4 Replies 4

Arne Bier
VIP
VIP

Hi @CaPunT 

 

you didn’t say if you have appliances or VMs. If appliances are sns-34xx or older then you can only go to ise 2.3. 
if you have vm deployment then chances are your hardware spec is too small for the ISE 2.6 requirements. I’d say a rebuild in the lab of 2.0 to 2.4 is what you should do. Analyse the resulting config because your Policy Sett will look different and may contain a lot of garbage that you can the clean out. Let’s also not forget that with so many PSN’s you ought to have 2 PAN and 2 MnT nodes in addition to your 8 PSNs.  It will work if you piggy back MnT on the PAN but it’s not the official way. If lab work is success then you have a golden config that you can use for your import into the production 2.6 VM deployment. Ensure that you have a config freeze until place dying this time to avoid any changes that get lost. Or keep a very detailed change record:-)

It's a mix of 5 appliances and 5 VMs. Appliances are still 3415's... so yes, we will have to motivate for new appliances and VM replacements(where possible) or limit the upgrade to 2.3.

 

So just to confirm - If I can build a test 2.0 VM, restore a current backup and upgrade it to 2.4, (providing policies look sound) I will then be able to backup that configuration data and import it into a new 2.6 build?

 

This would also mean we won't have historical operational data? (I believe it shouldn't be a big problem)

I would say that the most crucial part is the 2.0 config backup restore onto a fresh 2.4 node to see what the policy set looks like. Clean up any junk and then create a config backup to be used for your new ise 2.6 vm deployment. Essentially the 2.4 is the intermediate step :-)

And yes I conveniently side stepped the operational data backup issue. I think you can backup the operational data in 2.0 and then restore it to your 2.4 etc. but in all this time you will have some gaps. I think it’s a personal choice. Consider it a Spring cleaning exercise...

I didn't know that an older version backup could be restored onto a newer version, especially going from pre 2.3 to post (since that's when there were policy changes), hence my idea was to go the 2.0 restore to 2.4 upgrade route.
We are still waiting on feedback with regards to the path we can take but I'll attempt to lab this in the meantime.

 

Thanks @Arne Bier really appreciate the feedback and help.