ISE upgrade one node alone

manvik · ‎07-09-2025

my ISE setup is two node deployment cluster. Primary and Secondary. I am upgrading to latest version.
How can I upgrade 1 ISE node alone, so incase of any issues I can connect back the non-upgraded ISE node in production.
Incase of deregistering second node, will secondary node lose all configurations and policies.

Rob Ingram · ‎07-09-2025

@manvik upgrade the Secondary Administration node first. After upgrade, this node becomes the new Primary Administration node in the new deployment, then you upgrade the old Primary node. If the upgrade fails the upgrade will automatically rollback and rejoin the cluster.

Refer to the upgrade guide - https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/HTML/b_upgrade_method_3_1.html#id_119746

Refer to this Cisco live presentation https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-2889.pdf

manvik · ‎07-09-2025

do you mean to upgrade secondary from CLI, cz from GUI it upgrades both.
Is it possible to upgrade secondary alone and upgrade primary after a week.

Since both nodes are in diff version will cluster and config sync still work?

Rob Ingram · ‎07-09-2025

@manvik yes upgrade from the CLI, you control when you initiate the upgrade on the subsequent nodes.

I would not recommend waiting a week to upgraed the former primary node, you should continue to upgrade the next node once you've confirmed the upgrade of the first node is successful and is working ok.

Obviously, prepare, run a backup in case you need to rollback etc. Check out the prepare to upgrade guide https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/HTML/b_upgrade_prepare_3_1.html

adamscottmaster2013 · ‎07-09-2025

@manvik :This is what I would do if I were you. This method has been done and verified
at least 50 times by me, and confirmed by Cisco. You have a 2 nodes cluster,
node1 is PAN/PMnT/PSN, node2 is SAN/SMnT/PSN. This is how to do it:

A- backup all the certs you have on node2,
B- Deregister node2 from the cluster,
C- Take a backup of node1,
D- rebuild node2 with a fresh installation and apply the latest patch,
E- Restore node1 backup in step C to node2,
F- Make node2 PAN/PMnT,PSN,
G- Restore all certs you backup on step A to node2,
H- Now you have node2 running but INDEPENDENT from node1. If you have to make changes, you have
to make changes on both node1 and node2,
I- Point some network devices to node2 as Primary Radius/TACACS server for validation and confirm
everything still works,
J- Wait for one or two weeks,
K- Backup all the certs on node1,
L- rebuild node1 with a fresh installation and apply the latest patch,
M- restore all certs you backup on step K to node1,
N- Add node1 into the cluster. Make node1 SAN/SMnT/PSN,
O- Confirm that everything is still working,
P- Now make node1 PAN/PMnT,
Q- Confirm that everything is still working,
R- Finish,

This way, you ensure that there will be NO outage.

manvik · ‎07-09-2025

while deregistering second node, will secondary node lose all configurations and policies.

Also, can SPLIT upgrade be used here.

Aref Alsouqi · ‎07-10-2025

No it shouldn't, that's actually what happens in the background when you upgrade ISE. However, I wouldn't go with that approach. Personally I would go with the upgrade process suggested by @Rob Ingram, wheather you do it via CLI (my personal preference) or via GUI it won't change much in the sense even doing it via UI the process will still be the same, the secondary node will be upgraded first and then the "old" primary. That's how ISE upgrade works. When you do it via CLI you need to follow that order manually. You could keep the "old" primary for a week before you upgrade it, but tbh there is not much advantageous with doing that. Also, you can use the split upgrade which kinda does what we've just said, it will stage the upgrade in phases, but again, I usually don't use and wouldn't recommend it because if you have a validated backup you can still restore the build if something bad happens. And as @Rob Ingram mentioned, when using the GUI ISE would roll back if the upgrade should fail. Regarding the NADs, depending on their configs, if they have both ISE nodes IP addresses configured, during the upgrade they would fall back to the secondary node until the other is back online. However, if you happen to have some NADs configured with one ISE node IP, then you would need to consider that downtime during the upgrade, or add the other ISE node IP address to them.