Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4227
Views
10
Helpful
41
Replies

ISE 2.0 distributed deployment upgrade experiences

Ben.Levin
Level 1
Level 1

‎03-17-2016 11:36 AM - edited ‎03-10-2019 11:35 PM

I'm getting ready to upgrade our 8 node ISE 1.3 deployment to 2.0.  I've followed the upgrade documentation to prepare for this but I was wondering if anyone has experience doing the 2.0 upgrade on a similar setup.   Do you have any experiences, issues, etc, you can share?  I'm particularly interested in how long it took.  We did set up a 2 node deployment in our lab but the upgrade was pretty quick, about 1 hour per server.

Thank you.

Labels:
0 Helpful
41 Replies 41

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joevimal01

‎09-16-2016 01:04 PM

Have you confirmed your ability to put and ftp file onto the server (using the configured repository credentials) with anything other than ISE?

0 Helpful

joevimal01
Level 1
Level 1
In response to Marvin Rhoads

‎09-16-2016 01:09 PM

I have uploaded the IOS to local Disk through theis FTP server which was working fine.

may i  try to backup the config to local Disk. and then copy from there?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joevimal01

‎09-16-2016 01:23 PM

You need to figure out why ftp isnt working. If it wont work using the backup process then it probably won't work using "copy" after you do a disk backup.

Is there any reason why you don't open a TAC case for this? they can setup a WebEx and work with you interactively in real time.

0 Helpful

joevimal01
Level 1
Level 1
In response to Marvin Rhoads

‎09-16-2016 01:27 PM

Sure Marvin..Thanks

0 Helpful

joevimal01
Level 1
Level 1
In response to joevimal01

‎09-20-2016 08:18 PM

Hi Marvin and All,

I have completed the ISE upgrade successfully. Thanks a lot for your help.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joevimal01

‎09-20-2016 08:41 PM

Great to hear.

Please take a moment and mark your question and answered and rate helpful replies. It encourages quality content.

0 Helpful

Martin Bosch
Level 1
Level 1
In response to joevimal01

‎09-13-2016 10:49 PM

When you use the prepare command it does copy the bundle to the local disk.


ise/admin# application upgrade prepare  ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz CiscoISE


Getting bundle to local machine...
 md5: de9e7c83679897f792ad3e9f74879c51
 sha256: e3358ca424d977af67f8bb2bb3574b3e559ce9578d2f36c44cd8ba9e6dddfefd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ?

Enter Y to continue.

The upgrade package is extracted. The following message appears.


Getting bundle to local machine...
 md5: de9e7c83679897f792ad3e9f74879c51
 sha256: e3358ca424d977af67f8bb2bb3574b3e559ce9578d2f36c44cd8ba9e6dddfefd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joevimal01

‎09-13-2016 09:12 AM

joevimal01  ,

Yes you need an ftp server on your network that is reachable from ISE in order to deploy the ISE software image from it to the ISE nodes.

You define that server (can be a PC running Filezilla free ftp server or any other ftp server) in the ISE configuration as a "repository".

The ftp server needs to be authenticating - i.e. you cannot use anonymous ftp. The authenticated user needs to have the necessary software in the home directory on the ftp server.

0 Helpful

joevimal01
Level 1
Level 1
In response to joevimal01

‎08-15-2016 07:23 PM

Sorry, here is our deployment :

Node A:Primary PAN/secondary MnT

Node B: Secondary PAN/primary MnT

Node C,D,E and F: PSNs

0 Helpful

Maximilian Usinger
Level 1
Level 1
In response to Marvin Rhoads

‎08-17-2016 12:28 AM

Hi Marvin,

do you know which bugs will be addressed with the upcoming patch for ISE 2.1?
By the way, where can I get some "insider" information about when a update will be released?
As I have some minor bugs (and a missing deny profile for TACACS authorization) I have to deal with, I am waiting desperately for any new update :)

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Maximilian Usinger

‎08-17-2016 05:47 AM

[@usi.usinger]  ,

The missing TACACS Deny profile was fixed in ISE 2.1. That was the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy46322

If you have questions about specific bugs that are impacting your environment, you can inquire with your Cisco SE or via the TAC.

Sometimes you can tell that a bug fix is imminent when the Bug search tool shows it as "fixed" but the most recent public release doesn't include the fix. That usually indicates it's been fixed by Development Engineering and is pending release.

0 Helpful

Maximilian Usinger
Level 1
Level 1
In response to Marvin Rhoads

‎08-19-2016 01:16 AM

[@mrhoads-cco]  ,
Thanks for the reply, but I just found out that I am suffering from this fresh bug here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva04654/?referring_site=bugquickviewredir

(In case you run in a similiar problem)

I was starting to get crazy, as everyone said this bug should have been fixed, but I couldn't find any deny shell profile. :)



0 Helpful
Customers Also Viewed These Support Documents