cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

251
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

ISE Upgrade Procedure from 2.1 to 2.4

Hi team,

 

I am planning to upgrade from the OS 2.1 to 2.4 with the information below: 02 virtual ISE, running in HA mode; each node has PAN, PSN and MnT.

 

I will do the upgrade procedure like that:

- Running the Upgrade Readiness Tool.

- Backup all the configuration / certificates / keys on both Nodes

- Upgrade the Secondary Node.

- Upgrade the Primary Node.

 

I have the qns below:

- do we need to break the HA mode between the Primary Node and Secondary Node before doing the upgrade? After doing the upgrade successfully on each node, we will re-join the HA mode.

 

Or we can do the upgrade on the Secondary first and the Primary later.

 

Highly appreciate for any quick response.

 

Thanks in advance.

 

Br,

hainm

 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

I would do the backup and restore method vs. trying the upgrade process.

 

  1. Shutdown the VMs one at a time and take a snapshot so you have a good back out strategy if needed.
  2. Backup all the certificates/private keys (both system and trusted).
  3. Remove the secondary node from the deployment.
  4. Rebuild the node fresh as 2.4
  5. Restore your 2.1 data to it.
  6. Install certificates, apply latest patch, join to AD, get licensing setup (I would convert to Smart licensing)
  7. Validate everything looks good.
  8. Repeat the same process on the primary 2.1 node.  At the end you can promote the primary 2.1 node back to being primary for the 2.4 deployment.

You can certainly attempt the upgrade process, but the rebuild/restore method is guaranteed success.  I have only started using the Cisco upgrade method for 2.3 and later.

View solution in original post

3 REPLIES 3
Highlighted

During the software upgrade, it automatically deregisters the node and moves into a new deployment.

No need to manually break the sync. Also, you can upgrade the secondary first and the primary.

Please follow the upgrade guide

-Aravind
Highlighted
VIP Advocate

I would do the backup and restore method vs. trying the upgrade process.

 

  1. Shutdown the VMs one at a time and take a snapshot so you have a good back out strategy if needed.
  2. Backup all the certificates/private keys (both system and trusted).
  3. Remove the secondary node from the deployment.
  4. Rebuild the node fresh as 2.4
  5. Restore your 2.1 data to it.
  6. Install certificates, apply latest patch, join to AD, get licensing setup (I would convert to Smart licensing)
  7. Validate everything looks good.
  8. Repeat the same process on the primary 2.1 node.  At the end you can promote the primary 2.1 node back to being primary for the 2.4 deployment.

You can certainly attempt the upgrade process, but the rebuild/restore method is guaranteed success.  I have only started using the Cisco upgrade method for 2.3 and later.

View solution in original post

Highlighted
Cisco Employee

Did you check out upgrade guide under operations?

http://cs.co/ise-community
Content for Community-Ad