cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
2419
Views
2
Helpful
4
Replies

Issue with ISE distributed deployment upgrade from 1.3 to 2.1

paridhja
Cisco Employee
Cisco Employee

Hello All,

I was trying to do an ISE distributed deployment upgrade from 1.3 to 2.1

The current architecture is:

ISE-1: Primary PSN and secondary Admin node

ISE-2: Primary Admin, Secondary PSN and MNT node

ISE-3: Primary MNT node

The upgrade path followed: Secondary PAN, PSN (ISE-1) -> Primary MNT (ISE-3) -> PAN, Sec PSN (ISE-2)

ISE-1 was upgraded successfully but while upgrading ISE-3 (primary MNT node), got an error msg:

% Warning: Cannot upgrade this node until the standby PAP node is upgraded and running. If standby PAP is already upgraded

and reachable ensure that this node is in SYNC from current Primary UI.

Starting application after rollback

I would like to get comments as to why would I be getting this message and ideas as to how should I go forward with the upgrade.

I am not sure if the primary admin node(ISE-2) can be upgraded before upgrading the primary MNT node(ISE-3).

-Thanks,

Paridhi Jain

4 Replies 4

howon
Cisco Employee
Cisco Employee

Paridhi, the three node deployment is not a supported setup. We support 3 deployment modes:

  • Small: All three personas (Admin, MnT, PSN) in the same box
  • Medium: Admin+MnT in the same box plus up to 5 PSNs
  • Large: Admin as individual box, MnT as individual box, and up to 50 PSNs

Your deployment does not conform to any of the three mode above, so the upgrade cannot be completed. Check out the following document for more information:

Cisco Identity Services Engine Installation Guide, Release 2.1 - Network Deployments in Cisco ISE [Cisco Identity Servi…

Because i have a 3 node deployment, I could modify my setup to fit the medium deployment mode with one node being the Admin+MnT and 2 other nodes being the PSN but according to the upgrade path if i do not have a secondary Admin i am supposed to make one of my PSN node as the secondary admin node which i think might still create the issue. Could you confirm this.

That will still not meet the requirements of the medium deployment.  As shown in the image below taken from the link in the previous response, you must have TWO Admin + MnT nodes.  One hosting the Primary Admin Persona + Secondary MnT Persona and the other hosting the Secondary Admin Persona + Primary MnT Persona.

medium.jpg

In a three node deployment, this leaves you with a single PSN.  This is the ONLY supported three node deployment scenario.  ALL others will continue to give issues during the upgrade process.

hslai
Cisco Employee
Cisco Employee

Please verify the replication ok to the ISE node you are upgrading. Perhaps try a manual syncup before re-attempts.