Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
6
Helpful
7
Replies

ISE distributed deployment upgrade - 1.3 to 2.1

Go to solution
dot1x
Level 3
Level 3

‎12-10-2017 07:00 PM

My customer has an ISE deployment with 5 nodes: Admin/Monitor Primary and Secondary plus 3 Policy Server. The Admin Nodes and 2 Policty Nodes are VMs. The last Policy node is 3415 appliance.


I checked the release notes, it says that we can directly upgrade from 1.3 to 2.1.


Could someone share their experience or a step-by-step document to upgrade this distributed environment ISE deployment?


Thanks.

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎12-11-2017 12:42 PM

As I have posted previously, I would recommend not using any of the Cisco documented GUI/CLI methods for upgrading.  The method I have found to work the best over the years is:

  1. Kick out secondary admin node from the old deployment.
  2. Fresh build it to the desired version
  3. Restore data from old version
  4. Verify restored data.  This node now becomes the anchor point of the new version deployment.
  5. One at a time rebuild each PSN by installing a fresh build of the new version
  6. Join the PSNs to the new deployment
  7. Finally rebuild what was the primary admin node of the old deployment and join it to the new deployment
  8. Move personas around as needed

View solution in original post

7 Replies 7

Go to solution
paul
Level 10
Level 10

‎12-11-2017 12:42 PM

As I have posted previously, I would recommend not using any of the Cisco documented GUI/CLI methods for upgrading.  The method I have found to work the best over the years is:

  1. Kick out secondary admin node from the old deployment.
  2. Fresh build it to the desired version
  3. Restore data from old version
  4. Verify restored data.  This node now becomes the anchor point of the new version deployment.
  5. One at a time rebuild each PSN by installing a fresh build of the new version
  6. Join the PSNs to the new deployment
  7. Finally rebuild what was the primary admin node of the old deployment and join it to the new deployment
  8. Move personas around as needed

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎12-11-2017 12:44 PM

Agree with paul!

0 Helpful

Go to solution
dot1x
Level 3
Level 3
In response to paul

‎12-11-2017 01:47 PM

Thanks Paul.

What happens to the license when we use this approach?

Would it retain the licenses?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to dot1x

‎12-11-2017 01:49 PM

It won’t retain the license. You just need to rehost the licenses. I usually must email licensing@cisco.com<mailto:licensing@cisco.com>. They are very responsive.

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to paul

‎12-11-2017 02:00 PM

My experience is the device ID doesn’t change if you are using the same VM so you should be able to reuse the same license files if you still have them. Otherwise, rehosting certainly works.

George

Go to solution
dot1x
Level 3
Level 3
In response to paul

‎12-11-2017 02:15 PM

I'm fairly new to this, could you pelase have a look and advise if my understanding is correct?

Kick out secondary admin node from the old deployment.

Manually de-register Secondary Admin Node and take back up of this secondary admin node?

Fresh build it to the desired version

Using this?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_010.html#task_C60EBD3F53714C7BA83DC2E691E4FC1B

Restore data from old version

Restoring the back up taken in Step 1 for Secondary Admin Node?

Verify restored data.  This node now becomes the anchor point of the new version deployment.

One at a time rebuild each PSN by installing a fresh build of the new version

At this point of time, do I de-register old PSNs one by one?

Join the PSNs to the new deployment

Finally rebuild what was the primary admin node of the old deployment and join it to the new deployment

Should I take backup of Primary Admin node and then restore to new deployment? At this point of time, this will become secondary admin node in new deployment?

Move personas around as needed

0 Helpful
Customers Also Viewed These Support Documents