Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
4
Replies

ISE upgrade - small deployment - VM and SMS 3615 server

Go to solution
aolguin
Level 1
Level 1

‎09-09-2025 05:10 AM

Hello,
 
I would be performing an upgrade ISE upgrade for a customer. 
From 3.0 to 3.4 => which means we have to do a two step upgrade. 
 
They have a small deployment 
Primary node => VM 
Secondary node => 3615 
 
In order to reduce the time of maintenance windows I wanted to proposed the following 
 
- Remove 3615 from the current deployment (secondary node) 
- 3615  => disconnect it from the NW
- Deploy a new VM  => deploy it with secondary IP addresses
- Restore the back up from current deployment 
- Upgrade VM to 3.4 with latest patch 
- (smaller maitenance window) Test services hitting the new node => disconnect primary ISE from VMware network interfaces 
- Reimage 3615 with 3.4 => provide ip address primary, installed latest patch 
- Rejoin 3615 to the cluster. 
- Decommission previous ISE primary VM 
 
Would the above make sense? I just want to make sure I am not running into any restrictions I am not aware. 
I don't think documentation provides much information in different deployment scenarios. 
 
Thanks for your help / comments,
Aaron 
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
aolguin
Level 1
Level 1
In response to Dustin Anderson

‎09-09-2025 07:36 AM

Hello @Dustin Anderson  .. thank you for your advice. 

I also wanted to propose a new IP address for the new VM, but I have heard of problems with IP change in the past, so wanted to avoid this. Now looking at it again, it seems for standalone, it might be alright. 

I will  readjust, basically: 

- Deploy a new VM  => deploy new IP address 
- Restore the back up from current deployment 
- Upgrade VM to 3.4 with latest patch 
- Change IP address to replace old VM 
- Test services hitting the new node => disconnect primary ISE from VMware network interfaces 
- Reimage 3615 with 3.4, installed latest patch 
- Rejoin 3615 to the cluster. 
- Decommission previous ISE primary VM 

Thanks again  

Aaron 

View solution in original post

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to aolguin

‎09-09-2025 10:45 AM

That should work, on a side note I don't believe 3.x loads the certs in anymore with the backup, so plan to export the certs for admin etc to load into the new VM to save yourself some headache. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎09-09-2025 06:47 AM - edited ‎09-09-2025 06:49 AM

Take this as my opinion.

What you are suggesting seems to be adding time to maintenance, not reducing. I feel you are thinking upgrading is done at the same time, but is will update one node at a time unless you specify to do both in tandem. So with this you added creating a new VM and taking the appliance IP, so you loose redundancy. Once the VM is up but without config it will basically reject any auth sent to it until you restore the config.

Now, I know Cisco has got better on upgrades, they use to fail about 50% or so in 2.x so we mostly did reformat upgrades. So depending on how many upgrades the client has already done on these, I would look at this.

1 Deploy a VM on 3.4 and apply current patch. Do this on a 3rd IP to keep the redundancy in tact.

2 Restore backup to VM. I have not tried a 4 version update so this you would have to test if it imports correctly. If so this will give you the cleanest install. Otherwise you would need to deploy the lower version and upgrade.

3 assuming it all tests, replace the old VM with the new one and change the IP. As 3615 is small and EoL, I'm going to suggest that not be primary.

4 With the new VM functioning and tested, take the 3615 and reimage to 3.4, apply patch and rejoin the primary.

 

Just my 2 cents.

0 Helpful

Go to solution
aolguin
Level 1
Level 1
In response to Dustin Anderson

‎09-09-2025 07:36 AM

Hello @Dustin Anderson  .. thank you for your advice. 

I also wanted to propose a new IP address for the new VM, but I have heard of problems with IP change in the past, so wanted to avoid this. Now looking at it again, it seems for standalone, it might be alright. 

I will  readjust, basically: 

- Deploy a new VM  => deploy new IP address 
- Restore the back up from current deployment 
- Upgrade VM to 3.4 with latest patch 
- Change IP address to replace old VM 
- Test services hitting the new node => disconnect primary ISE from VMware network interfaces 
- Reimage 3615 with 3.4, installed latest patch 
- Rejoin 3615 to the cluster. 
- Decommission previous ISE primary VM 

Thanks again  

Aaron 

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to aolguin

‎09-09-2025 10:45 AM

That should work, on a side note I don't believe 3.x loads the certs in anymore with the backup, so plan to export the certs for admin etc to load into the new VM to save yourself some headache. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-09-2025 07:30 AM

the approach looks nice, but look at ISE 3.0 to 3.4 you need pass some path

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/release_notes/cisco-identity-services-engine-release-notes-34.html

Also add all the patches before you putting production.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents