Solved: Re: Upgrade from 2.4 to 2.7/3.0

Kalimoz · ‎01-27-2021

As the title suggest, as anyone already made the upgrade from version 2.4 to 2.7/3.0 in a production environment? If so did everything went ok?

Mike.Cifelli · ‎01-27-2021

Yes. I recently moved an old cluster from 2.4p9 to a brand new cluster running 2.7p2. Not sure if you are planning on doing an in place upgrade, or if will you build out a new cluster and perform restore from backup. However, if you decide to upgrade in place you can do a few things to save time. Those things include patching the 2.4 cluster with the latest patch, purging old logs, ensuring you run the URT tool, and open a ticket with TAC just in case. As of today ISE 2.7 is the suggested/more stable release. I do know that 2.7p3 is hitting the street very soon so you may want to consider moving to that (last I heard it should be out Feb 2021). As far as any known issues with 2.7 here are a couple of bugs I have encountered recently:

NTP bug - Bug Search (cisco.com)

Posture Auto-Update bug - Bug Search (cisco.com)

FYSA I have been advised that both of those are due to be fixed in 2.7p3. Lastly, my recommendation would be to move to 2.7 and not 3.0 for now. HTH!

View solution in original post

marce1000 · ‎01-27-2021

- Are you sure you want to be on 3.0 on a business environment, I don't want to invoke bashing. I think ISE is outstanding , but it collides with flexible upgrading in business critical environments, especially and also due to the multi-node model. I always used to make a new deployment ready and switch radius-authenticators in switches and wireless controllers accordingly. Much more safe and easy to fallback if things are not working in the new environment.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mike.Cifelli · ‎01-27-2021

Yes. I recently moved an old cluster from 2.4p9 to a brand new cluster running 2.7p2. Not sure if you are planning on doing an in place upgrade, or if will you build out a new cluster and perform restore from backup. However, if you decide to upgrade in place you can do a few things to save time. Those things include patching the 2.4 cluster with the latest patch, purging old logs, ensuring you run the URT tool, and open a ticket with TAC just in case. As of today ISE 2.7 is the suggested/more stable release. I do know that 2.7p3 is hitting the street very soon so you may want to consider moving to that (last I heard it should be out Feb 2021). As far as any known issues with 2.7 here are a couple of bugs I have encountered recently:

NTP bug - Bug Search (cisco.com)

Posture Auto-Update bug - Bug Search (cisco.com)

FYSA I have been advised that both of those are due to be fixed in 2.7p3. Lastly, my recommendation would be to move to 2.7 and not 3.0 for now. HTH!

Marcelo Morais · ‎01-27-2021

Hi @Kalimoz ,

please keep in mind that:

ISE 3.0 is only able to use Smart Licensing (no support for Traditional Licensing).

ISE 3.0 latest patch is P1 (Dec, 2020)

ISE 2.7 is the Suggested Released from Cisco ... the latest patch is P2 (Jul, 2020)

ISE 2.7 P3 will probably be released on Feb, 2021.

Do you need any specific feature of ISE 3.0 (for ex.: MS Azure AD as an Identity Store)?

Hope this helps !!