cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2922
Views
2
Helpful
23
Replies

ISE upgrade from 1.3 to 2.1

dot1x
Level 3
Level 3

Hi Champs!

A quick question: We are running ISE 1.3 and would like to upgrade.

Is there any stable version we could upgrade to?

I see we can directly update from 1.3 to 2.1, but not to 2.2.

Is it a good idea to update to 2.1?

We are running ISE in distributed environment with multiple nodes.

Thanks.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

On (1), yes, please take the config backup from the primary admin node.

On (2), we usually de-register one of the ISE secondary nodes (including the ISE secondary admin), instead of the ISE primary admin node. If you do prefer to de-register the ISE primary admin node, then first promote the secondary admin to primary and de-register the original primary admin node. The deployment will always have one and only one primary admin node, unless standalone.

View solution in original post

23 Replies 23

kthiruve
Cisco Employee
Cisco Employee

Hi Moin,

Please see the release notes for ISE 2.1 and 2.2 to see what version you can upgrade to.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html

In general, it is recommended to upgrade to the latest patch.

Curious to know if there are there specific reasons why you want to upgrade?

Also good to know features and functionalities that you are using in ISE 1.3.

ISE 2.2 is a two step upgrade and Patch 4 is the latest.

For ISE 2.1, please see another thread related to the patches in the community forum.

https://communities.cisco.com/thread/84256?start=15&tstart=0

Thanks

Krishnan

Krishnan Thiruvengadam wrote:

Hi Moin,

Please see the release notes for ISE 2.1 and 2.2 to see what version you can upgrade to.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html

In general, it is recommended to upgrade to the latest patch.

Curious to know if there are there specific reasons why you want to upgrade?

Also good to know features and functionalities that you are using in ISE 1.3.

ISE 2.2 is a two step upgrade and Patch 4 is the latest.

For ISE 2.1, please see another thread related to the patches in the community forum.

https://communities.cisco.com/thread/84256?start=15&tstart=0

Thanks

Krishnan

Hi Krishnan,

Thanks for your response.

Curious to know if there are there specific reasons why you want to upgrade?

Customer requirement to update the software versions on ISE, WLC and Prime.

Also good to know features and functionalities that you are using in ISE 1.3.
We are using ISE for Wired/Wireless User Authentication/Authorization using External Identity Source (AD), Certificate based Authentication, VPN User Authentication etc.

hslai
Cisco Employee
Cisco Employee

For customer deployment still in ISE 1.x.x, our general recommendation is to upgrade it to ISE 2.2 latest patch (Patch 4 is the current latest) as Krishnan suggested.

hslai wrote:

For customer deployment still in ISE 1.x.x, our general recommendation is to upgrade it to ISE 2.2 latest patch (Patch 4 is the current latest) as Krishnan suggested.

Would you suggest if the latest patch is stable version or would it be a good idea to upgrade to 2.1?

If upgrading to 2.2, we would have to update 1.3-->1.4-->2.2?

hslai
Cisco Employee
Cisco Employee

That would work but I would suggest 1.3 -> 1.3 latest patch -> 2.1 -> 2.1 latest patch-> 2.2 -> 2.2 latest patch.

It could be a time saving, in case of operational data not important, by

  1. taking an ISE CFG backup of ISE 1.3 with latest patch,
  2. restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch
  3. upgrading (2) to ISE 2.2 and then applying the latest patch or taking a CFG backup of (2) and restoring it to a fresh installed ISE 2.2 latest patch.
  4. using (3) as the primary ISE admin node and fresh installing all other nodes and joining them to the ISE 2.2 deployment.

If operational data is important to keep, then we will also need to take an OPS backup, to restore it to ISE 2.1 latest patch, and then to upgrade it to ISE 2.2.

hslai wrote:

That would work but I would suggest 1.3 -> 1.3 latest patch -> 2.1 -> 2.1 latest patch-> 2.2 -> 2.2 latest patch.

It could be a time saving, in case of operational data not important, by

  1. taking an ISE CFG backup of ISE 1.3 with latest patch,
  2. restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch
  3. upgrading (2) to ISE 2.2 and then applying the latest patch or taking a CFG backup of (2) and restoring it to a fresh installed ISE 2.2 latest patch.
  4. using (3) as the primary ISE admin node and fresh installing all other nodes and joining them to the ISE 2.2 deployment.

If operational data is important to keep, then we will also need to take an OPS backup, to restore it to ISE 2.1 latest patch, and then to upgrade it to ISE 2.2.

1. taking an ISE CFG backup of ISE 1.3 with latest patch,

Taking config backup of only Primary Admin Node?


2. restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch

When we de-register Primary Admin Node, the Primary and Secondary PSNs would still be serving the client requests?

hslai
Cisco Employee
Cisco Employee

On (1), yes, please take the config backup from the primary admin node.

On (2), we usually de-register one of the ISE secondary nodes (including the ISE secondary admin), instead of the ISE primary admin node. If you do prefer to de-register the ISE primary admin node, then first promote the secondary admin to primary and de-register the original primary admin node. The deployment will always have one and only one primary admin node, unless standalone.

dot1x
Level 3
Level 3

Hi guys!

Was busy with WLCs upgrade which went good.

Now we'll be updating ISE. While reading the upgrade guide for ISE 2.1; at one stage it says:

Release 2.1 supports Red Hat Enterprise Linux (RHEL) 7.0.

If you are upgrading Cisco ISE nodes on VMware virtual machines, after upgrade is complete, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.

On another place, it says:

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.


Doe it mean to change adapter first, upgrade and then change the guest operating system?

You change the adapter before upgrade and the operating system after

Hi,

This change of Guest OS is so confusing:

The Upgrade Guide 2.1 says:

Prep for the Upgrade Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1  - Prepare for Upgrade [Cisco Identity Services Engine] - Cis…

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.


Post-Upgrade Tasks Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1  - Post-Upgrade Tasks [Cisco Identity Services Engine] - Cisc…


Ensure that the Guest Operating System on the VMware virtual machine is set to Red Hat Enterprise Linux (RHEL) 7 and the network adapter is set to E1000 or VMXNET3.


Should this be doen before or after?

This was answered under response 9 on the thread

The reason I was confirming again because I contacted a couple of TAC Engineers, they had different answers.

I got following response today:

  1. Regarding the “Change VMware Virtual Machine Guest Operating System and Settings”, please note that I have asked about this point since we don’t support it, and the correct answer is that you should do this before the upgrade, and just check it after. So you should apply the change of the Guest OS before ISE upgrade.

Any thoughts?

What is in the guide should be the guidance, if the find otherwise they should open a defect on the guide to have it corrected

I hope they change the doc.