Solved: Re: ISE Upgrade

shendel · ‎04-17-2019

Hi,

We have ISE 1.4 and we are planning to upgrade to version 2.4, i know that i must go through 2.2. I'm wondering

if my existing licenses (installed and active on 1.4) :

1/ will be still valide on the target version (2.4)

2/ will get migrated automatically during the upgrade process or should i re-install them manually

Regards

Damien Miller · ‎04-17-2019

2.6 does not enforce VM licenses, it acts just like 2.4, nagging you in to submission. Since Shendel's deployment is coming from 1.4 which does not support TACACS, no device administration license will be carried forward. Net new tacacs node licenses would have to be ordered if the feature is going to be used.

Shendel, either before or after the upgrade to 2.4, you will have to follow the process in Raffy's link. Email ise-vm-license@cisco.com including the original Cisco sales order numbers that the VM RTU licenses were ordered on. A new PAK will be issued for 2.4+ medium vm licenses in the exact number purchased. This is of course only if you are leveraging VM's, if you are using SNS hardware appliances then the VM license step doesn't apply.

View solution in original post

hslai · ‎04-17-2019

If you are using the ISE Web UI to upgrade the deployment, then both should hold true. In case somehow UDI changed due to a new ISE node as the primary PAN, etc., then you may use Cisco licensing portal to re-host the licenses.

RaffyLindogan · ‎04-17-2019

Hi Shendel,

I am pretty sure there are slight changes on the licensing when you move to ISE 2.4

For example the Device Administration is license is now required to be same as the PSNs configured for device administration service.

ISE VMs also has licenses but isn't strictly applied until 2.6

Here is a good link to see the changes.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#LicensingInformation24

Cheers,

Raffy

Damien Miller · ‎04-17-2019

2.6 does not enforce VM licenses, it acts just like 2.4, nagging you in to submission. Since Shendel's deployment is coming from 1.4 which does not support TACACS, no device administration license will be carried forward. Net new tacacs node licenses would have to be ordered if the feature is going to be used.

Shendel, either before or after the upgrade to 2.4, you will have to follow the process in Raffy's link. Email ise-vm-license@cisco.com including the original Cisco sales order numbers that the VM RTU licenses were ordered on. A new PAK will be issued for 2.4+ medium vm licenses in the exact number purchased. This is of course only if you are leveraging VM's, if you are using SNS hardware appliances then the VM license step doesn't apply.

kthiruve · ‎04-22-2019

Very useful reply Damien. Thank you.

paul · ‎04-17-2019

For customers we have on 1.4 going to 2.4 we almost always just build everything from scratch. What we were doing in 1.4 for best practices and the naming conventions we used then are not what we are doing now. We usually take the opportunity to do a sanity check on their use cases and build everything from scratch. Granted depending on the size of the customer this may not be an option.

If you want to keep the configuration then I would advocate building a temp VM on 2.2, restoring your 1.4 data to it then upgrading that temp VM to 2.4. Then you have your anchor point for 2.4 and you can simply rebuild your 1.4 nodes one node at a time and join them to the 2.4 deployment. At the end you remove the temp VM. Granted you need to figure out certificates and licensing, but its a process I have used dozens of times to great success.

If you have a fully distributed deployment, dedicated admin, M&T and PSNs. Then you can simply kick the secondary admin node out of the 1.4 deployment and use that as the starting point for 2.4. Lots of options, but I would NEVER attempt a full deployment upgrade from 1.4 to 2.2 then 2.4. That would put you on a painful journey most likely.