Upgrade question for ISE 1.1.1 to 1.1.2 patch 8

marioderosa2008 · ‎07-04-2013

Hi everyone,

I need some advise on upgrading from ISE 1.1.1 patch 3 to 1.1.2 patch 8...

I have read the upgrade document on the Cisco website http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upgrade.html and tried to understand it properly, but I have a couple of questions about it.

Firstly, the procesdures detailed are only relevant if you are upgrading from 1.0 or 1.1 to 1.1.x ( i think )... Well I am already running 1.1.1 and I want to upgrade to 1.1.2 patch 8, so is this document right for me?

Secondly, I would like to follow the procedure for a "Two Admin Node Deployment". But the caveat message and Warning message directly below the diagram worries me as I do not know whether these apply to me...

This supports an upgrade of Cisco ISE, Release 1.0 or 1.1 to Cisco ISE, Release 1.1.x with split domain upgrade only, so that the secondary ISE node has to be deregistered individually from the deployment before upgrade.

As I said, firstly I am not upgrading from 1.0 or 1.1 and secondly, what is a split domain upgrade?

Hope you all can help!

thanks

Mario

Tarik Admani · ‎07-06-2013

Hi,

A split domain upgrade is exactly what you are trying to do. Spilt domain is seen when you have more than one node or else you would be considered standalone.

Split domain refers to the state of the upgrade process as you upgrade each node from 1.1.1 to 1.1.2. Some nodes will be on both versions since you have to run the upgrade when rhe node is in a standalone state

Let me know if this helps and if you have any further questions.

Sent from Cisco Technical Support Android App

Ravi Singh · ‎07-07-2013

To upgrade the Cisco ISE nodes in a distributed deployment to Release 1.1.x, you must use the split deployment upgrade method.

The configuration changes that are made to the Primary Administration ISE node database are applied to the secondary Administration ISE node, the Inline Posture node, and all the secondary nodes in your deployment. This allows you to replicate the database on all the nodes from the Primary Administration ISE node so that each node has a local copy of the configuration. Replication of configuration data across all nodes may introduce complications in terms of functionality changes that are implemented within the latest version and the required configuration.

For more information on centralized configuration and management of Cisco ISE nodes in a distributed deployment, see Cisco Identity Services Engine User Guide, Release 1.1.x, Chapter 10, "Setting Up ISE in a Distributed Environment".

marioderosa2008 · ‎07-09-2013

Thanks Ravi / Tarik,

so I need to perform a split domain upgrade by following the steps below... (sorry about the formatting)

To perform a two-adminnode deployment upgrade, complete the following procedure:

Step 1

Perform an on-demand backup (manually) of the Primary Administration ISE node from the admin user interface or CLI and an on-demand backup of the Monitoring node from the admin user interface, before upgrading to Cisco ISE, Release 1.1.x.

.

Step 2

Deregister the secondary node (Node B) from the deployment setup. After deregistration, this node becomes a standalone node.

Step 3

Upgrade this standalone node to Cisco ISE, Release 1.1.x.

When you log in to Node B after the upgrade, if the system prompts you for a license, you must install a valid license for the secondary node based on its UDI. See Obtaining a Valid License, page 1-2 for more information.

For more information on how perform an on-demand backup, see the "Performing an On-Demand Backup" section on page 1-3

Step 4

Convert the primary node of the previous deployment (Node A) to a standalone node.

Step 5

Make Node B as the primary node in the new deployment.

Step 6

Upgrade Node A to Cisco ISE, Release 1.1.x and register to Node B in the Cisco ISE, Release 1.1.x deployment setup as the secondary node.

After you upgrade your deployment, all the policies and other data of the previous deployment will be retained in your new deployment.

marioderosa2008 · ‎07-09-2013

Also,

do you guys recommend that I follow the "Obtain a Valid License" section too?

Because I am upgrading from 1.1.1 to 1.1.2, does the license issue on the newly promoted Admin node apply to me? I cant quite understand from the guide whether it does apply to my scenario or not.

thanks

Mario

Venkatesh Attuluri · ‎07-09-2013

You are using the right link for upgrading process.

Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2

Prerequisite

Before you upgrade, ensure that you delete all policies that use the "Blacklist_Access" authorization profile. For more details, refer to CSCub17140.

Before you can upgrade to Cisco ISE, Release 1.1.2, you must first be sure you have upgraded your machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the upgrade procedure, see the

http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upgrade.html

marioderosa2008 · ‎07-20-2013

Hi,

i am in the middle of performing this upgrade and I am finding that when i de-register my secondary admin `node, the secondary admin node loses its license information.

i have read the document and followed to the letter... but i am still losing the license.

The document states that you must have installed 1.1 patch 3 before upgrading to 1.1.x

well, I am already running 1.1.1.268 patch 3 and the secondary admin node is still losing its license when de-registered from the deployment...

can any one help?

I dont really want to go through the process of "Obtaining A New License" because I do not have any support for the ISE and not sure if this is chargeable..

any help appreciated... thanks

Mario

Jatin Katyal · ‎07-20-2013

What you're seeing is an expected behavior.

Here is an document that you may refer. Please review 3

http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upg_dis_dep.html#wp1052969

Step 3 Deregister the secondary node (Node B) from the deployment setup. After deregistration, this node becomes a standalone node. Upgrade this standalone node to Cisco ISE.

When you log in to Node B after the upgrade, if the system prompts you for a license, you must install a valid license for the secondary node based on its UDI. See Obtaining a Valid License for more information

Prerequisite:

•Make sure you have the license file for your Primary Administration ISE node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example) contact Cisco TAC for assistance.

•Ensure that you have a copy of the license that you install initally. You need to reinstall the license while completing the upgrade.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

marioderosa2008 · ‎07-20-2013

Hi Jatin,

I thought that initially, but then in the document, it advises the below... We are already running on 1.1.1.268 patch 3 which is supposed to ensure that the license does not get "lost"... so i cannot understand why the license is getting lost.

Before You Begin

Before you upgrade your deployment, you must do the following:

•
If you are upgrading from Release 1.0, follow the instructions listed in "Obtaining a Valid License" section on page 1-2.

•

If you are running Cisco ISE, Release 1.1, then you must apply ISE 1.1 patch 3 before you can upgrade to Cisco ISE, Release 1.1.x. Applying this patch ensures that your secondary Cisco Administration ISE node’s license is not lost during the upgrade process

marioderosa2008 · ‎07-29-2013

Hi Jatin,

just to give you an update, I received a new license file from our Cisco Partner and when i tried to do the upgrade last weekend I got an error message when trying to import the license file in to the secondary admin node. Something about incorrect UDI...

Looks like Cisco gave us a license file based on the UDI of the primary administration node rather than the secondary administration node.

Now Cisco are advising our Cisco Partner / reseller that a new license may be required for the secondary administration node....

This whole upgrade process is a bit of a headache and I am wondering whether you or any one else on this forum have had similar issues.

I almost feel like I would do better doing the following...

1. deregister the secondary admin node

2. upgrade the primary admin node with 1.1.2 patch 8

3. build a new standalone ISE with 1.1.2 software

4. install patch 8 on the new standalone ISE node

5. add the new standalone ISE to the existing deployment ( In the hope that the new ISE will use the license already istalled on the Primary adminstration node)

6. then make the new ISE secondary admin node and primary monitoring node.

Do you think that will work?

Thanks

Mario

Tarik Admani · ‎07-29-2013

Mario,

If you have the SO or the PAK that was used to purchase your ise against, the licensing team should understand that you are performing an ISE upgrade. You will have to let them know that you need the licenses "rehosted" against the udi of the secondary node in order to promote it the the new primary to complete and upgrade.

Something could have slipped in the conversation but it would best if you opened the TAC case and had them rehost the licenses yourself.

Tarik Admani
*Please rate helpful posts*