Solved: Upgrade Cisco ISE 2.6 patch-10 to ISE 3.1 patch-1

adamscottmaster2013 · ‎03-24-2022

Looking for guidance on how to upgrade my environment from ISE 2.6 patch-10 to ISE 3.1 patch-1 on appliances 3615.

Below are my steps:

Existing Environment is Cisco ISE version 2.6 patch 10:
- nycacsc001 is Primary Admin, Primary MNT and PSN,
- vacacsc001 is the Secondary Admin, Secondary MNT and PSN

Objective: Upgrade the environment to Cisco ISE 3.1

Step A: backup configuration from nycacsc001
Step B: deregister vacacsc001 from cluster
Step C: re-image vacacsc001 with 3.1 ise-3.1.0.518.SPA.x86_64.iso
Step Patch vacacsc001 with ise-patchbundle-3.1.0.518-Patch1-21120304.SPA.x86_64.tar.gz
Step E: restore the configuration from nycacsc001 to vacacsc001
Step F: Make vacacsc001 Primary Admin, Primary MNT and PSN
Step G: Validation to confirm that everything works with Firewalls, F5, routers, switches, Aruba, Cisco ISE, etc... (turn off ISE service on nycacsc001)
Step H: re-image nycacsc001 with 3.1 ise-3.1.0.518.SPA.x86_64.iso
Step I: Patch nycacsc001 with ise-patchbundle-3.1.0.518-Patch1-21120304.SPA.x86_64.tar.gz
Step J: Add nycacsc001 into the cluster and make it the Secondary Admin, Secondary MNT and PSN
Step K: Validation to confirm that everything works with Firewalls, F5, routers, switches, Aruba, Cisco ISE, etc... (turn off ISE service on vacacsc001)

Anyone see issues with this?

TIA

Marvin Rhoads · ‎03-24-2022

It's not really necessary re-image although that would work as you describe.

Please note you should run the Upgrade Readiness Tool first to check for any latent issues (even if you aren't doing an inline upgrade). Also check your certificates and trusted certificates for any expired ones. You will need to export the current cluster's certificates to move them over in that case.

You didn't mention licensing. You will need to move to Smart licenses if you aren't already using them. Also you will need any current Base/Plus/Apex licenses to be re-provisioned as the new Essentials/Advantage/Premium types.

View solution in original post

Mike.Cifelli · ‎03-24-2022

Adding a few things:

-No matter what level of licensing you are currently using the model has changed as of 3.0 which requires TAC to migrate the licenses. See here: Products - ISE Licensing Migration Guide - Cisco

-As @Marvin Rhoads mentioned you should run the URT tool which will help identify readiness and any issues. Not sure why you would do a fresh reimage as mentioned in step C but that would probably work. Why not just do the inline bundle upgrade + patch apply.

-Strongly suggest opening two prelim TAC cases: 1 for license migration, which I have been advised to do post upgrade via TAC; 1 for actual upgrade just in case you need assistance if you hit any bumps in the road.

-This will help: Cisco ISE 3.1 Upgrade Guide: Upgrade Method - Cisco

View solution in original post

Marvin Rhoads · ‎03-24-2022

It's not really necessary re-image although that would work as you describe.

Please note you should run the Upgrade Readiness Tool first to check for any latent issues (even if you aren't doing an inline upgrade). Also check your certificates and trusted certificates for any expired ones. You will need to export the current cluster's certificates to move them over in that case.

You didn't mention licensing. You will need to move to Smart licenses if you aren't already using them. Also you will need any current Base/Plus/Apex licenses to be re-provisioned as the new Essentials/Advantage/Premium types.

adamscottmaster2013 · ‎03-24-2022

I thought the method I described is the recommended approach by Cisco, no?

I do not use any certificates on the ISE other than the existing default certificate that come with ISE, so I don't think I need to export them, right?

yes, I am aware of the Smart Licensing. I need to open my Cisco ISE appliances to communicate with tools.cisco.com, tools1.cisco.com and tools2.cisco.com over https.

Btw, I am only using the ISE appliance for device administration such as TACACS+ and radius, and nothing else.

Thoughts?

christopher.arevalo · ‎03-25-2022

I am currently in the process of upgrading from 2.6 Patch 10 to 3.1 Patch 1 myself. Although you can use the built-in upgrade option with the upgrade file, I am utilizing the backup/retore method that you are looking at doing. My cluster is a little more extensive, but the process is spot on with what you explained in your first post since you don't have any certificates other than self-signed.

As far as licensing goes the other guys are correct about having to convert from the 2.x style to the 3.x style. I currently have a TAC case in trying to get this accomplished. You do however get the 90-day evaluation and that's what I'm using until TAC can convert my licenses.

adamscottmaster2013 · ‎03-28-2022

I used my method and it works without issues. However, I get a yellow triangle on the secondary node in the deployment section. I open a TAC case with Cisco and they are investigating. Hopefully, it is not another bug.

adamscottmaster2013 · ‎03-30-2022

I tested that in my lab and it is working as expected BUT now the Primary Admin/MNT/PSN is not replicating with the Secondary Admin/MNT/PSN. After troubleshooting it for two days with Cisco TAC, I finally gave the backup configuration to TAC and he is able to reproduce the issue in his environment. Still waiting for update.

adamscottmaster2013 · ‎04-05-2022

The TAC engineer has escalated this case to engineering for further investigations and very likely a "bug". The issue can not be reproduced all the time, only around 50% of the time. That makes it even harder to investigate.

In either case, it does not look good for ISE version 3.1.

Mike.Cifelli · ‎03-24-2022

Adding a few things:

-No matter what level of licensing you are currently using the model has changed as of 3.0 which requires TAC to migrate the licenses. See here: Products - ISE Licensing Migration Guide - Cisco

-As @Marvin Rhoads mentioned you should run the URT tool which will help identify readiness and any issues. Not sure why you would do a fresh reimage as mentioned in step C but that would probably work. Why not just do the inline bundle upgrade + patch apply.

-Strongly suggest opening two prelim TAC cases: 1 for license migration, which I have been advised to do post upgrade via TAC; 1 for actual upgrade just in case you need assistance if you hit any bumps in the road.

-This will help: Cisco ISE 3.1 Upgrade Guide: Upgrade Method - Cisco

Charlie Moreton · ‎04-05-2022

@Marvin Rhoads and @Mike.Cifelli have it right. URT should be run first. Inline upgrade via GUI for this deployment is the easiest option here. I always stress the importance of creating a backup prior to upgrade. PKI store as well. I know that you are only using the self-signed certificates due to this being a Device Admin only deployment, but it's a good habit to get into.

You will also need to upgrade your VM License to the VM Common license prior to upgrading to 3.1 (VMC is a requirement of 3.1). Use the L-ISE-VMC-UPG= SKU to upgrade the VM licenses ($0).

adamscottmaster2013 · ‎04-07-2022

I schedule to backup the system everyday. I thought that is a given, no?

Marvin Rhoads · ‎04-07-2022

Daily ISE backups are perhaps a bit overdoing it.

However about 1/4 to 1/3 of the customer ISE deployments I come across don't have any valid backups.

So we don't assume anything.

adamscottmaster2013 · ‎04-08-2022

I backup ISE daily to two different external sFTP linux systems. There are constant changes to the ISE system so it is prudent to backup the ISE on a daily basis.

After the backup, I have a script to compare the file size and md5sum to make sure that they are the same, all automated via python script. It is not that difficult.