Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
1
Helpful
3
Replies

Ugrading ISE from 2.7 to 3.3 - Small deployment, downtime

Go to solution
discretemathlover
Level 1
Level 1

‎09-04-2025 05:50 AM

Hello everyone,

I have a small ISE deployment consisting of two nodes in High Availability (HA) mode (primary and secondary) currently running on ISE version 2.7. I have been tasked with upgrading them to version 3.3, and I would like to share my current upgrade plan for feedback:

  1. Deregister Node2.
  2. Upgrade Node2 from version 2.7 to 3.2 via CLI.
  3. Upgrade Node2 from version 3.2 to 3.3 via CLI.
  4. Deregister Node1. (this will involve temporary downtime)
  5. Register Node2 as the primary node.
  6. Reimage Node1 with version 3.3 using Node2's configuration and setup.
  7. Register Node1 as the secondary node.

I have a specific question regarding the upgrade process:

Is it necessary to deregister Node1 before registering Node2, or can I have both nodes running on different versions simultaneously while they are registered?

Thank you in advance for your insights! Additionally, if there are any best practices or important details I may have overlooked, please feel free to share.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to discretemathlover

‎09-04-2025 07:08 AM

You don't upgrade the nodes per se, you replace them with new nodes.

1. Build a new node with ISE 3.2, install latest patch. Be sure to carefully consider the VM requirements and give it sufficient compute and memory resources. Give it the same host name and IP address as the current secondary node (while disconnecting the network interfaces of the existing node via your hypervisor GUI). Join it to AD (assuming you use AD for authentication).

2. Restore backup from your current deployment onto it, including any system certificates which you backed up separately.

3. Upgrade it to 3.3 (or 3.4 since it will soon be the suggested release) and install latest patch.

4. Test services hitting the new node (check live logs etc.)

5. Build a second new node with 3.x (whichever version you decided on) and latest patch. Restore certificates onto it and join it to the new node in a deployment. Join it to AD also. Test that it is healthy and able to perform AAA services.

6. Adjust Primary role as desired. (This will entail a brief outage in a 2-node deployment as both application servers will need to restart and you will have no PSN services while that happens.

7. Take a fresh backup once everything is in the final working state.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-04-2025 06:31 AM

Are your nodes hardware appliances or VMs? If old hardware, they might not be supported on the newest release. If VMs, it is usually best to build new ones since the resource requirements have changed significantly between 2.7 and 3.3.

0 Helpful

Go to solution
discretemathlover
Level 1
Level 1
In response to Marvin Rhoads

‎09-04-2025 06:39 AM

Thank you for your response! To clarify, my nodes are indeed VMs.

If I understand correctly, you are suggesting that I consider using the backup and restore method during the upgrade process for the following steps:

  1. Upgrade Node2 from version 2.7 to 3.2.
  2. Upgrade Node2 from version 3.2 to 3.3.

Is that correct?

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to discretemathlover

‎09-04-2025 07:08 AM

You don't upgrade the nodes per se, you replace them with new nodes.

1. Build a new node with ISE 3.2, install latest patch. Be sure to carefully consider the VM requirements and give it sufficient compute and memory resources. Give it the same host name and IP address as the current secondary node (while disconnecting the network interfaces of the existing node via your hypervisor GUI). Join it to AD (assuming you use AD for authentication).

2. Restore backup from your current deployment onto it, including any system certificates which you backed up separately.

3. Upgrade it to 3.3 (or 3.4 since it will soon be the suggested release) and install latest patch.

4. Test services hitting the new node (check live logs etc.)

5. Build a second new node with 3.x (whichever version you decided on) and latest patch. Restore certificates onto it and join it to the new node in a deployment. Join it to AD also. Test that it is healthy and able to perform AAA services.

6. Adjust Primary role as desired. (This will entail a brief outage in a 2-node deployment as both application servers will need to restart and you will have no PSN services while that happens.

7. Take a fresh backup once everything is in the final working state.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card