11-15-2017 03:14 PM
Hi Champs!
A quick question: We are running ISE 1.3 and would like to upgrade.
Is there any stable version we could upgrade to?
I see we can directly update from 1.3 to 2.1, but not to 2.2.
Is it a good idea to update to 2.1?
We are running ISE in distributed environment with multiple nodes.
Thanks.
Solved! Go to Solution.
11-24-2017 04:47 PM
On (1), yes, please take the config backup from the primary admin node.
On (2), we usually de-register one of the ISE secondary nodes (including the ISE secondary admin), instead of the ISE primary admin node. If you do prefer to de-register the ISE primary admin node, then first promote the secondary admin to primary and de-register the original primary admin node. The deployment will always have one and only one primary admin node, unless standalone.
11-15-2017 05:03 PM
Hi Moin,
Please see the release notes for ISE 2.1 and 2.2 to see what version you can upgrade to.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html
In general, it is recommended to upgrade to the latest patch.
Curious to know if there are there specific reasons why you want to upgrade?
Also good to know features and functionalities that you are using in ISE 1.3.
ISE 2.2 is a two step upgrade and Patch 4 is the latest.
For ISE 2.1, please see another thread related to the patches in the community forum.
https://communities.cisco.com/thread/84256?start=15&tstart=0
Thanks
Krishnan
11-15-2017 05:13 PM
Krishnan Thiruvengadam wrote:
Hi Moin,
Please see the release notes for ISE 2.1 and 2.2 to see what version you can upgrade to.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html
In general, it is recommended to upgrade to the latest patch.
Curious to know if there are there specific reasons why you want to upgrade?
Also good to know features and functionalities that you are using in ISE 1.3.
ISE 2.2 is a two step upgrade and Patch 4 is the latest.
For ISE 2.1, please see another thread related to the patches in the community forum.
https://communities.cisco.com/thread/84256?start=15&tstart=0
Thanks
Krishnan
Hi Krishnan,
Thanks for your response.
Curious to know if there are there specific reasons why you want to upgrade?
Customer requirement to update the software versions on ISE, WLC and Prime.
Also good to know features and functionalities that you are using in ISE 1.3.
We are using ISE for Wired/Wireless User Authentication/Authorization using External Identity Source (AD), Certificate based Authentication, VPN User Authentication etc.
11-16-2017 02:41 PM
For customer deployment still in ISE 1.x.x, our general recommendation is to upgrade it to ISE 2.2 latest patch (Patch 4 is the current latest) as Krishnan suggested.
11-16-2017 03:25 PM
hslai wrote:
For customer deployment still in ISE 1.x.x, our general recommendation is to upgrade it to ISE 2.2 latest patch (Patch 4 is the current latest) as Krishnan suggested.
Would you suggest if the latest patch is stable version or would it be a good idea to upgrade to 2.1?
If upgrading to 2.2, we would have to update 1.3-->1.4-->2.2?
11-16-2017 03:36 PM
That would work but I would suggest 1.3 -> 1.3 latest patch -> 2.1 -> 2.1 latest patch-> 2.2 -> 2.2 latest patch.
It could be a time saving, in case of operational data not important, by
If operational data is important to keep, then we will also need to take an OPS backup, to restore it to ISE 2.1 latest patch, and then to upgrade it to ISE 2.2.
11-22-2017 03:09 PM
hslai wrote:
That would work but I would suggest 1.3 -> 1.3 latest patch -> 2.1 -> 2.1 latest patch-> 2.2 -> 2.2 latest patch.
It could be a time saving, in case of operational data not important, by
- taking an ISE CFG backup of ISE 1.3 with latest patch,
- restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch
- upgrading (2) to ISE 2.2 and then applying the latest patch or taking a CFG backup of (2) and restoring it to a fresh installed ISE 2.2 latest patch.
- using (3) as the primary ISE admin node and fresh installing all other nodes and joining them to the ISE 2.2 deployment.
If operational data is important to keep, then we will also need to take an OPS backup, to restore it to ISE 2.1 latest patch, and then to upgrade it to ISE 2.2.
1. taking an ISE CFG backup of ISE 1.3 with latest patch,
Taking config backup of only Primary Admin Node?
2. restoring (1) to either a new ISE node or a de-registered ISE node from ISE 1.3 deployment and freshly installed with ISE 2.1 and applied the latest patch
When we de-register Primary Admin Node, the Primary and Secondary PSNs would still be serving the client requests?
11-24-2017 04:47 PM
On (1), yes, please take the config backup from the primary admin node.
On (2), we usually de-register one of the ISE secondary nodes (including the ISE secondary admin), instead of the ISE primary admin node. If you do prefer to de-register the ISE primary admin node, then first promote the secondary admin to primary and de-register the original primary admin node. The deployment will always have one and only one primary admin node, unless standalone.
12-11-2017 01:38 AM
Hi guys!
Was busy with WLCs upgrade which went good.
Now we'll be updating ISE. While reading the upgrade guide for ISE 2.1; at one stage it says:
Release 2.1 supports Red Hat Enterprise Linux (RHEL) 7.0.
If you are upgrading Cisco ISE nodes on VMware virtual machines, after upgrade is complete, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.
On another place, it says:
If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.
Doe it mean to change adapter first, upgrade and then change the guest operating system?
12-11-2017 04:48 AM
You change the adapter before upgrade and the operating system after
12-12-2017 08:48 PM
Hi,
This change of Guest OS is so confusing:
The Upgrade Guide 2.1 says:
Prep for the Upgrade Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1 - Prepare for Upgrade [Cisco Identity Services Engine] - Cis…
If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.
Post-Upgrade Tasks Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1 - Post-Upgrade Tasks [Cisco Identity Services Engine] - Cisc…
Ensure that the Guest Operating System on the VMware virtual machine is set to Red Hat Enterprise Linux (RHEL) 7 and the network adapter is set to E1000 or VMXNET3.
Should this be doen before or after?
12-13-2017 08:32 AM
This was answered under response 9 on the thread
12-13-2017 03:08 PM
The reason I was confirming again because I contacted a couple of TAC Engineers, they had different answers.
I got following response today:
Any thoughts?
12-13-2017 03:27 PM
What is in the guide should be the guidance, if the find otherwise they should open a defect on the guide to have it corrected
12-13-2017 03:54 PM
I hope they change the doc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide