Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
3
Replies

ISE Upgrade Procedure from 2.1 to 2.4

Go to solution
hanguye3
Cisco Employee
Cisco Employee

‎04-18-2019 09:01 PM

Hi team,

 

I am planning to upgrade from the OS 2.1 to 2.4 with the information below: 02 virtual ISE, running in HA mode; each node has PAN, PSN and MnT.

 

I will do the upgrade procedure like that:

- Running the Upgrade Readiness Tool.

- Backup all the configuration / certificates / keys on both Nodes

- Upgrade the Secondary Node.

- Upgrade the Primary Node.

 

I have the qns below:

- do we need to break the HA mode between the Primary Node and Secondary Node before doing the upgrade? After doing the upgrade successfully on each node, we will re-join the HA mode.

 

Or we can do the upgrade on the Secondary first and the Primary later.

 

Highly appreciate for any quick response.

 

Thanks in advance.

 

Br,

hainm

 

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎04-19-2019 05:33 AM

I would do the backup and restore method vs. trying the upgrade process.

 

  1. Shutdown the VMs one at a time and take a snapshot so you have a good back out strategy if needed.
  2. Backup all the certificates/private keys (both system and trusted).
  3. Remove the secondary node from the deployment.
  4. Rebuild the node fresh as 2.4
  5. Restore your 2.1 data to it.
  6. Install certificates, apply latest patch, join to AD, get licensing setup (I would convert to Smart licensing)
  7. Validate everything looks good.
  8. Repeat the same process on the primary 2.1 node.  At the end you can promote the primary 2.1 node back to being primary for the 2.4 deployment.

You can certainly attempt the upgrade process, but the rebuild/restore method is guaranteed success.  I have only started using the Cisco upgrade method for 2.3 and later.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎04-19-2019 03:12 AM

During the software upgrade, it automatically deregisters the node and moves into a new deployment.

No need to manually break the sync. Also, you can upgrade the secondary first and the primary.

Please follow the upgrade guide

-Aravind
0 Helpful

Go to solution
paul
Level 10
Level 10

‎04-19-2019 05:33 AM

I would do the backup and restore method vs. trying the upgrade process.

 

  1. Shutdown the VMs one at a time and take a snapshot so you have a good back out strategy if needed.
  2. Backup all the certificates/private keys (both system and trusted).
  3. Remove the secondary node from the deployment.
  4. Rebuild the node fresh as 2.4
  5. Restore your 2.1 data to it.
  6. Install certificates, apply latest patch, join to AD, get licensing setup (I would convert to Smart licensing)
  7. Validate everything looks good.
  8. Repeat the same process on the primary 2.1 node.  At the end you can promote the primary 2.1 node back to being primary for the 2.4 deployment.

You can certainly attempt the upgrade process, but the rebuild/restore method is guaranteed success.  I have only started using the Cisco upgrade method for 2.3 and later.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-19-2019 07:03 AM

Did you check out upgrade guide under operations?

http://cs.co/ise-community
0 Helpful
Customers Also Viewed These Support Documents