Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
2
Helpful
8
Replies

YAIU - Yet Another ISE Upgrade - question

Gioacchino
Level 1
Level 1

‎07-19-2023 05:13 AM - edited ‎07-19-2023 05:14 AM

Hi all,

I'm in charge to safely bring a pair of SNS-3615-K9 from 2.7 patch 2 to the latest ISE release, 3.2.0.
I'm looking for the safest solution and to minimize downtime. Needless to say 2.7 must be upgraded to the latest patch, at the moment being 12. To minimize downtime I would think to have the new and the old setup running at the same time (same IP addresses) and isolating one or the other, depending if I want to test the new one or go back to the old one; of course I will take into account all the links with the external source of authentication/authorization, and make sure that whenever there is a switchover, the exposed instance can talk with them.

At first, thiniking the ISE VM would be available with full features for a limited period of time, I thought to build up two VMs and restore the backup from 2.7, but then I realized that it is not possible. Still I would like to go for the backup-and-restore solution

Is my way feasible any how? Or how would you do that?

Any hints and advices will be very welcome!

Gio

 

0 Helpful
8 Replies 8

craiglebutt
Level 4
Level 4

‎07-19-2023 05:32 AM

I'm actually upgrading next week 6 servers.

Servers are on VM ready to power up, I'll build my new PAN and enable PSN, test the confing on here as not being used as a PSN in live, then I'll remove the IP from the WLAN in the AM, which causes a split second outage, and build new PSN, then at the end add the IP back to the WLANS.

Hope this helps

0 Helpful

Gioacchino
Level 1
Level 1

‎07-19-2023 06:41 AM

Thanks @craiglebutt ,

so if I understand correctly, you build a new VM with both of the roles PAN and PSN, test the config in there; then "remove the IP from the WLAN in the AM" (I'm not sure what actually that means), then add extra PSNs to the setup and put back the IPs.
As you said in another comment, for new VMs you need license: hence I guess you pay the licenses also for the new VMs, am I right?

BYW, since i'm new to this ISE setup, I wonder where to find the information about the licenses used and their expiration date, would you know how to check them out?

Gio

0 Helpful

craiglebutt
Level 4
Level 4
In response to Gioacchino

‎07-19-2023 06:58 AM

Cisco ISE Licensing Guide - Cisco

"WLAN in the AM" (I'm not sure what actually that means)," what I found the hard way was when my SSIDs had the radius settings added and when I was building my new PSN, the SSIDs where still pointing to them and as there was no config, this caused issue, they didn't failove to next PSN as the PSN was up.  So safest way was to remove the IP to the PSN i'm working on, as I have 2 per site, I point all the SSIDs to the PSNs on another site and revert back at the end.  Unforutnetly we are not able to run 2 deployments in tandem due to resources

0 Helpful

ammahend
VIP
VIP

‎07-19-2023 07:21 AM - edited ‎07-19-2023 07:27 AM

"At first, thiniking the ISE VM would be available with full features for a limited period of time, I thought to build up two VMs and restore the backup from 2.7, but then I realized that it is not possible"

I haven't done it first hand yet, however 3.2 upgrade from ISE 2.7 backup and restore is supported, what makes you say its not possible ?

Check table 1

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/upgrade_guide/Upgrade_Journey/PDF/b_ise_upgrade_guide_3_2_pdf/m_upgrademethods.html#id_121933

 

-hope this helps-
0 Helpful

Gioacchino
Level 1
Level 1
In response to ammahend

‎07-19-2023 07:41 AM

Sorry @ammahend, instead of "it's not possible" you should have read "it's not a licensing option available". It referred to "thiniking the ISE VM would be available with full features for a limited period of time". In that sens I said that.

Gio

0 Helpful

ammahend
VIP
VIP
In response to Gioacchino

‎07-19-2023 09:09 AM

understood, I just wanted to make sure you are making informed decision.

-hope this helps-
0 Helpful

craiglebutt
Level 4
Level 4
In response to ammahend

‎07-19-2023 07:43 AM

????

"I haven't done it first hand yet, however 3.2 upgrade from ISE 2.7 backup and restore is supported, what makes you say its not possible ?"  Can you show me where I said it isn't possible, it is possible I'm going from 2.7 patch 9 to 3.2 next week.


What I said is I Can't run 2 in tandem, as don't have the VM Ressources to do so.

As for licecnes, you will have so long to get the licences, ISE will remind you to ourchase them every day.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎07-19-2023 08:18 AM

Have you watched the webinar?

 Upgrading your Cisco ISE Deployment 2021/09/07

01:44 ISE Versions and Suggested Releases
02:57 ISE 3.1 Release Features
03:40 Supported Releases for Upgrading to ISE 3.1
06:02 Upgrade Workflow
07:04 Upgrade Methods: Backup & Restore, GUI, or CLI
11:00 Upgrade Preparations: Backup, Certs, Health Check
14:32 Upgrade Options Overview: Split and Full Upgrades
17:40 Full Upgrade Process Details
21:28 Upgrade Pre-Checks
27:09 Demo of Full Upgrade from ISE 2.7 to 3.1
38:45 Split Upgrade Process Details
44:11 Demo of Split Upgrade from ISE 2.6 to 3.1
52:38 Split vs Full Upgrade Process Comparison
54:38 Post Upgrade Tasks
56:13 ISE Upgrade Resources

Customers Also Viewed These Support Documents