Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
2
Replies

Question re ISE 1.2.1 to 1.4 upgrade

Leroy Plock
Level 1
Level 1

‎01-25-2016 09:21 AM - edited ‎03-10-2019 11:25 PM

Greetings,

Can anybody comment on this upgrade plan?

We have 4 nodes:
1 - Primary Admin/Secondary MnT
2 - PSN only
3 - PSN only
4 - Primary MnT/Secondary Admin

We know the upgrade order will be 4 - 3 - 2 - 1.

We are testing this in the lab and will perform all appropriate precautionary measures. However we are still concerned that an unforeseen problem will crop up in production after the upgrade and want the ability to revert back quickly if needed.

After upgrading nodes 4 and 3 we will have one Admin/Mnt Node and one PSN in the new deployment, but still have one Admin/Mnt Node and one PSN in the old deployment.

All NADs are set to use either node 3 or 2 as primary radius server with failover to the other PSN. If after upgrading nodes 4 and 3, we stop ISE services on node 2, all NADs will be using node 3, which is in the new deployment. If we experience problems, we can bring up services on node 2, stop services on node 3, thus forcing all NADs to use the old deployment. If after one week we are satisfied the upgrade has gone well, we can upgrade nodes 2 and 1 to complete the process, NADs will go back to load balancing with failover across the 2 nodes.

Will this work? What issues might we encounter? Thanks.

Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-25-2016 10:02 AM

The authentication should continue to work with the existing devices in the network because PSN failover is configured on Network Access Devices.

The upgrade process automatically deregisters node 4 ( Secondary Admin) from the deployment and upgrades it. Node 4 becomes the primary node of the new deployment when it restarts so the new PAN would be node 4.

/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_chapter_01.html#ID20

Also keep this doc handy:

https://supportforums.cisco.com/blog/12341806/upgrading-identity-services-engine-ise-13

~ Jatin

~Jatin
0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎01-25-2016 10:47 AM

Are the instances virtual or physical? If virtual "snapshots" are your best friend. If they are physical make sure you have valid and recent backups. Also, make sure you know the "encryption key" for the backups as otherwise they are worthless :)

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents