Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
1
Helpful
2
Replies

ISE upgrade to 3.1 version from 2.7

Go to solution
Gouthami Nair
Beginner
Beginner

‎04-10-2023 05:16 AM

Hi All,

We are upgrading our Cisco ISE deployment from 2.7 version to 3.1 version. Whether the nodes will rejoin if we are doing the upgrade without breaking the cluster and doing the upgrade through CLI?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

‎04-10-2023 11:09 AM

If all goes well the nodes will still be joined when the upgrade is completed and done via the CLI, same as running the standard upgrade through the GUI. 

You will upgrade the secondary admin node first, it will deregister itself from the primary and become the new primary in the 3.1 deployment. You will then upgrade any other PSN/MNT/PXgrid nodes in the order you wish, these will automatically register with the new 3.1 admin node. The last node you upgrade will be the old primary admin node (still running 2.7), and it will also register and join the 3.1 primary admin node. 

When you're done upgrading you can swap back the primary admin role to the original primary node. 

Helpful tip, you might see queue link alarms in the dashboard during the upgrade in 3+ node deployments, you can disable the ISE messaging service before the upgrade, correct the root certificate chain + ISE messaging service certificates after the upgrade, then reenable the ISE messaging service. 

View solution in original post

2 Replies 2

Go to solution
Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

‎04-10-2023 06:43 AM

Hi @Gouthami Nair 

 please take a look at: Cisco ISE 3.1 Upgrade Guide: Upgrade Method., search for Upgrade a Cisco ISE Deployment from the CLI and check your Deployment Type (Standalone, Two-Node or Distributed).

Hope this helps !!!

0 Helpful

Go to solution
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

‎04-10-2023 11:09 AM

If all goes well the nodes will still be joined when the upgrade is completed and done via the CLI, same as running the standard upgrade through the GUI. 

You will upgrade the secondary admin node first, it will deregister itself from the primary and become the new primary in the 3.1 deployment. You will then upgrade any other PSN/MNT/PXgrid nodes in the order you wish, these will automatically register with the new 3.1 admin node. The last node you upgrade will be the old primary admin node (still running 2.7), and it will also register and join the 3.1 primary admin node. 

When you're done upgrading you can swap back the primary admin role to the original primary node. 

Helpful tip, you might see queue link alarms in the dashboard during the upgrade in 3+ node deployments, you can disable the ISE messaging service before the upgrade, correct the root certificate chain + ISE messaging service certificates after the upgrade, then reenable the ISE messaging service. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents