Re: Large deploy cluster upgrade from 1.4 to 2.3

iurikura · ‎03-11-2018

Hi Team,

My customer has large deployment ISE in 1.4 (6 instances) and planning to upgrade to 2.3.

I understand if they want to upgrade from 1.4 to 2.3, each ISE instance should once be 2.1 and then can go to 2.1+.

Also in large deployment design, the best practice is:

1) to upgrade from Secondary PAN and MnT to Primary,

2) then PSNs join to the new cluster at upper version,

3) finally previous primary Mnt and PAN join to the cluster as secondary.

If these my understandings right, could you please let me know which is the recommended(supported) instructions in this scenario?

a) Each instances go to 1.4->2.0->2.3 at the same time.

b) Each instances has to stay in 2.0 (to create 2.0 cluster). Then, customer do the same upgrade instructions again to go to 2.3.

Arne Bier · ‎03-11-2018

Do you have hardware appliances or VM's?

If VM's, then you can build out 6 new ISE 2.3 VM's and leave them at the 'setup' prompt (assuming that you are also required to re-use the same IP addresses from the existing ISE deployment). But, if you are free to create 6 new ISE nodes with new IP addresses then it's even better - just build all 6 nodes and leave them as Standalone mode. This might be possible if you are using a load balancer. All of your NAS's send Radius/WebAuth to a VIP and therefore the NAS does not have a hard coded ISE IP address.

Create another interim ISE VM with ISE 2.0 (or 2.1... whatever the interim version needs to be from 1.4 -> 2.x upgrade). In that new ISE 2.0/2.1 VM, restore the config backup from ISE 1.4. Check that the config looks sane.

Make a config backup of that 2.0/2.1 system. Import that backup into ISE 2.3 - now you have a new PAN node for your ISE 2.3 deployment! Register all the other node personas like MnT, PSN etc. Once you new deployment is built, you can start adding in some PSN's into the load balancer pool (if you have a load balancer). If no load balancer, then change a NAS config to use the new ISE PSN.

Basically, if you have a VM deployment AND IP address of ISE nodes is not hard coded in your NAS's, then you have the luxury of running the old and the new ISE deployments in parallel - and you can decide when to migrate to the new platform.

If you plan to upgrade ISE using the upgrade method (as opposed to restoring a config backup) then you really need to test this. And even if your tests pass, there is no guarantee that it will work on your production system. Having been burnt in the past, I would never upgrade a system ever again.

iurikura · ‎03-12-2018

Arne,

Thank you for your reply and sharing upgrade tips for virtual machines. At this time, customer is using physical appliances. So we need to clarify how to successfully upgrade physical ISE.

Thank you,

Itaru

danielsai · ‎03-12-2018

Hi Itaru ,

Following are my steps that i've done on my enviroment,

Backup config and Certificate.
Shut interface of sec PAN,Mon and PSN.
Stop ISE application.
upgrade from 1.3 to 2.0 and to 2.2.
Start ISE application.
Shut interface of Pri PAN,Mon and PSN. (Maintenance down time about 30 min).
Unshut interface of sec PAN,Mon and PSN.
Promote Sec PAN.
Join Sec Mon and PSN to cluster.
Update the rest of nodes.(follow steps 2 to steps 5)
Join the nodes back to cluster.
Check the services.

Hope it will help you a bit for your case.

Regards,

Daniel Sai

hslai · ‎03-13-2018

kthiruve is working on a guide on this topic so you might want to check with him directly.

iurikura · ‎03-18-2018

Hi Hsing-Tsu,

Thank you for the reply.

I've send an email to him. I attached figures of pattern (a) and (b) as well.

Thank you,

Itaru