cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2025
Views
35
Helpful
8
Replies

Upgrading ISE from 2.4 to 2.6 suggestions and recommended patch

waqas gondal
Level 1
Level 1

Hi!

 

I am looking at upgrading ISE from 2.4 to 2.6 and wanted to know what the recommended patch would be in 2.6.

 

Ideally I am looking for the patch with the least issues in terms of 802.1x auth using the native windows supplicant and tacacs authentication.

 

Cheers,

Waqas

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

2.4 to 2.6 straight upgrade. - download from Cisco Download ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz

 

I did the below steps :

 

1. Config back if any

2. download Filezilla ftp server

3. copy the image to FTP Server make username and password (make a folder as root)

4. login to ISE - make FTP repository

 

# config t

repository ftp

url ftp://ipaddress

usename bbandi password plain my password   <-- change this as per requirement.

exit

 

check the repository

 

show repository ftp 

you can view the files from FTP server.

 

check any certificates expired in ISE, because upgrade fails after spending hours or so, so make sure no certificate expired, have atlease 20-50GB Free space before you start below :

 

5. application install ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz ftp

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

2.4 to 2.6 straight upgrade. - download from Cisco Download ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz

 

I did the below steps :

 

1. Config back if any

2. download Filezilla ftp server

3. copy the image to FTP Server make username and password (make a folder as root)

4. login to ISE - make FTP repository

 

# config t

repository ftp

url ftp://ipaddress

usename bbandi password plain my password   <-- change this as per requirement.

exit

 

check the repository

 

show repository ftp 

you can view the files from FTP server.

 

check any certificates expired in ISE, because upgrade fails after spending hours or so, so make sure no certificate expired, have atlease 20-50GB Free space before you start below :

 

5. application install ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz ftp

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks Balaji,

 

We have 2 ISE nodes for redundancy, should we do the primary or secondary first?

The secondary should go first if you are doing an in place inline upgrade. 

I will add two things you should look at with the process above.

  1. Add a step to the above process. You should run the URT bundle on the secondary node before upgrading. The URT tests the upgrade in a new partition to catch any errors such as expired certs or incompatible configuration objects. 
  2. You can save time and upgrade failures by copying the upgrade bundle directly to localdisk of the ISE nodes, then defining / as a lock disk: repo. If you have a slow link between the FTP server and ISE, the ftp copy can time out during the upgrade process. 


Also, any reason you are looking to upgrade to 2.6 versus Cisco's current "gold star" recommendation of 2.7? Not to say 2.6 isn't a fine release, just not where most are looking to go right now. I know you're asking for the most stable and problem free release for 802.1x, upgrading comes with risks, 2.4p13 is the most mature release in that regard and still supported. Most risk adverse customers don't upgrade unless support is ending for their current release train or they require a specific feature only found in a new release. 

Hey Damien, how's it going?

 

The reason for this upgrade is partly because most of our users are working from home so we have an opportunity to do this with minimal disruption.

 

Also there is possibility for a DNAC implementation in the near future. The minimum ISE needs to be on for that is 2.5, which you probably know. The reason we didn't go with 2.7 is because of the long term support on the even numbered releases. Also I have heard of some environments having issues in 2.7.

 

Thanks,

Waqas

 

 

As of ISE 2.7, there are no longer 'long-live' vs. 'short-live' releases. All releases from 2.7 are considered 'long-live' and subject to this Release Lifecyle.

As @Damien Miller stated, ISE 2.7 is currently the Recommended version by the Cisco BU based on stability and support lifecycle. There have been 2 patches released to resolve known bugs/vulnerabilities as documented in the Release Notes but, as with any software product, we recommend regression testing in a non-Prod environment if possible before rolling out to Production.

@waqas gondal For the future since you mentioned DNAC use the following for compatibility purposes:

https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html

If you have issues or concerns with versioning engage TAC and/or your rep because if you are running DNAC and ISE versions that are not depicted as supported you may encounter some difficulties should you face issues where you need TAC to engage.  HTH!

 

Secondary First. then So on, any issue arises you have primary running as expected.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Peter Koltl
Level 7
Level 7

I don’t understand why 2.6

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: