Hi,

I recently upgraded ISE1.4-P8 to 2.7-P7. It was not an easy task, 4 TAC engineers helped, and the result was great, almost no downtime cutover. I would like to share the process to help others.

The original ISE 1.4 Deployment, 2 x PANs - ISE-VM-K9, 2 x PSNs- ISE 3355 appliances.

Follow the link below.

https://community.cisco.com/t5/security-knowledge-base/ise-version-upgrade-matrix/ta-p/3653501

The original plan was to patch 1.4 to P12> upgrade to 2.2> patch to P14> then upgrade to 2.7

The first problem, ISE 3355 Appliance is no longer supported.

So, the new plan is to build new 1 new PAN with 2.2 OVA file, restore with 1.4 backup, then upgrade to 2.7. Build 2 PSNs with 2.7 ova, then join PSNs to PANs to sync configuration.

Detail plan,

1. Buckup configuration on ISE 1.4
2. Backup certificate
3. Build 1 new PAN ISE-VM (ISE 2.2 OVA file - Virtual SNS-3495 (recommend for PAN or MnT))
4. Build 2 new PSN ISE-VM(ISE 2.7 OVA file - 600GB disk for Small or Medium (Recommend for PAN or MnT))
5. Restore 2.2 PAN from the 1.4 backup
6. Patch 2.2 PAN to patch12
7. Upgrade 2.2 PAN to 2.7
8. Patch 2.7 PAN to the latest patch
9. Patch 2.7 PSN to the latest patch
10. Upload certificate to PAN and PSN.
11. Isolate one PSN 1.4
12. Join one 2.7 PSN to 2.7 PAN to sync all configuration.
13. Confirm authorization log on the new PAN from the new PSN
14. Isolate second PSN1.4
15. Join the second PSN to 2.7 PAN to sync all configuration.
16. Confirm authorization log on the new PAN from the new PSN
17. Confirm the success.

Quickly, I’m facing the first error; when upgrading 2.2 to 2.7 the install stopped halfway for days.

Logged a TAC case, and they found it related to the BUG (CSCvk28137), and too many authentications police.

So, I started to reduce authentication rules to under 140, then tried to install the 2.7 upgrades again, but not much luck, and failed again.

By more search, I find a Cisco ISE upgrade guide, and it suggests a Backup/restore method, but I can’t find any upgrade matrix for this method. So, I had a new plan to try.

New plan.

1. Backup 1.4 configuration.
2. Build a new 2.2 PAN VM, and restore from 1.4 backup.
3. Patch 2.2 to Patch 12, then back configuration.
4. Build a new 2.7 PAN VM, then restore from 2.2 backup.
5. Patch 2.7 PAN to the latest.
6. Patch 2.7 PSN to the latest patch
7. Upload certificate to PAN and PSN.
8. Isolate one PSN 1.4
9. Join one 2.7 PSN to 2.7 PAN to sync all configuration.
10. Confirm authorization log on the new PAN from the new PSN
11. Isolate second PSN1.4
12. Join the second PSN to 2.7 PAN to sync all configuration.
13. Confirm authorization log on the new PAN from the new PSN
14. Confirm the success.

Then I met the second error, the new 1.4 configuration backup doesn’t work on the 2.2 restore.

“Error: Cannot find ise backup instance.log in the backup file. Restore aborted.”

TAC doesn’t know about this error, and because 1.4 and 2.2 are all end-of-life, TAC couldn’t give more help.

Luckily, the original 1.4 configure backup works, the file size is different, I’m still not sure why.

Each restore will take about 2-4 hours, especially from 2.2 to 2.7 almost overnight, depending on the number of rules.

Each restore will convert the database. because 2.7 the policy structure is different, you can find each policy will assign one authentication policy and all authorization policies, it looks very messy, but it works.

Other problems during the cutover.

No log showing after the cutover, go to “Administration”-“logging”-“logging settings”- untick “Using “ISE Messaging Service” for UDP syslogs delivery by MnT””

Nodes Queue link alarms.

Causing by ISE messaging certificate missing, regenerate ISE messaging certificate and Root CA.

Thanks,

David