Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
2
Replies

Upgrade ISE 2.3 to 2.4, new HW

Servicio Tac
Level 1
Level 1

‎11-11-2019 02:12 PM

Hi team

 

I planning the upgrade from ise 2.3 to ise 2.4 in a two nodes deployment to a new HW. Already read the upgrade document and I think this is the procedure.

 

ise01a = ise 2.3 primary node (3415)

ise02a = ise 2.3 secondary node (3415)

ise01b = ise 2.4 (3655)

ise02b = ise 2.4 (3655)

 

1.- Take a configuration and operation backup from ise01a, also the show run from ise01a and ise02a

2.- Export the certificate from ise01a

3.- Deregister ise02a from 2.3 deployment.

4.- Shutdown ise02a

5.- Power on ise02b (the appliance already have the version 2.4 patch 10 loaded)

6.- Load the show run from ise02a to ise02b 

7.- Restore the ise02b from configuration/operational backup from ise01a

8.- Importe the certificate from ise01a

9.- Assign at ise02b as primary node.

10.- Shutdown ise01a

11.- Power on ise01b (the appliance already have the version 2.4 patch 10 loaded)

10.- Load the show run from ise01a to ise01b 

11.- Restore the ise01b from configuration/operational backup from ise01a

12 .- Assign at ise02b as secondary node.

13.- change the ise01b as primary and ise02b as secondary

 

I'm ok with the procedure?

 

Regards.

 

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎11-11-2019 04:32 PM

I think you may face an issue with

7.- Restore the ise02b from configuration/operational backup from ise01a

8.- Importe the certificate from ise01a

 

When you restore the config backup onto ise02b, then the node should also get the certificate that you had on ise02a, and not ise01a - the FQDN on ise02b must match the Subject Common name of the Admin cert (or ... unless you have a wildcard cert or Multi-Domain Cert, then ignore what I have said - but check you Admin cert to ensure it will match the node's FQDN)

 

Step 11 is not correct

11.- Restore the ise01b from configuration/operational backup from ise01a

You don't restore the config - you need to register the secondary node to the primary. Once done, the Secondary sync's up with the Primary.

 

This step happens during the registration phase.

12 .- Assign at ise02b as secondary node.

 

So I would say steps 11 and 12 would look like this

11. Install Cert Chain (Trusted Certs) for the Admin cert you're going to use. Then import the Admin cert from ise01a

12. From ise02b Register the new node ise02a and assign it the Secondary roles (Admin/MnT) and all the other stuff like Policy etc.

 

This is a very condensed version. There are many moving parts but you're on the right track.

 

I normally don't migrate certs from old system to new system. I would create a CSR on each node and have new certs created. 

0 Helpful

Servicio Tac
Level 1
Level 1
In response to Arne Bier

‎11-12-2019 06:23 AM

Thanks for your anwser

 

The idea it's have the lowest impact to the end user, that why we want export the certificates to the 2.3 to 2.4

 

Your are right with the Certificate and FQDN... May be an option start with the procedure with the node ise01a to ise01b

 

Regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents