One year ago, Cisco published the Cisco ISE 2.7 release. Now, this release is the suggested one.
It is possible to upgrade directly from release 2.2, 2.3, 2.4 or 2.6 and upgrading process can be done via GUI or CLI. This article will cover the easier method: upgrading Cisco ISE via GUI.
Backup configuration
Backup all configuration and monitoring data. This task should be done before initiating upgrade in order to ensure that you can easily roll back manually, if necessary.
Note: If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7 (64-bit) or Red Hat Enterprise Linux (RHEL) 6 (64-bit). To do this, you must power down the VM, update the Guest Operating System, and power on the VM after the change.
Check the Database
Use the Upgrade Readiness Tool (URT) in order to detect and fix any configuration data upgrade issues before you start the upgrade process. Most of the upgrade failures occur because of configuration data upgrade issues. The URT validates the data before the upgrade in order to identify, and report or fix the issue, wherever possible.
Download URT package
Select the release you want to upgrade (in this case 2.7) and download the Upgrade Readiness Tool file.
Copy the URT file in the Cisco ISE repository
Copy the file to the Cisco ISE repository; you can configure it going to “Administrator” -> “System” -> “Backup & restore”.
Run the URT Bundle
The URT can be run on a Secondary Administration Node, for high availability, or on the Standalone Node for a single-node deployment. No downtime is necessary when running this tool.
Access to the ISE CLI and type this command:
application install <urt-file> <repository-name>
Here an example of URT output:
Ciscozine-ISE-02/admin# application install ise-urtbundle-2.7.0.356-1.0.0.SPA.x86_64.tar.gz SYSLOG-FTP Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Generating configuration… Saved the ADE-OS running configuration to startup successfully Getting bundle to local machine… Unbundling Application Package… Verifying Application Signature… Initiating Application Install… # Installing Upgrade Readiness Tool (URT) # Checking ISE version compatibility Successful Checking ISE persona Successful Along with Administration, other services (MNT,SESSION) are enabled on this node. Installing and running URT might consume additional resources. Do you want to proceed with installing and running URT now (y/n):y Checking if URT is recent(<45 days old) Note: URT is 330 days old and its version is 1.0.0. There might be a recent URT bundle on CCO, please verify on CCO Do you want to proceed with this version which is 330 days old (y/n):y Proceeding with this version of URT itself Installing URT bundle Successful # Running Upgrade Readiness Tool (URT) # This tool will perform following tasks: Pre-requisite checks Clone config database Copy upgrade files [...] OS Check validation 5 out of 5 pre-requisite checks passed Clone config database [##--------------------------------------] 5% Validating connection to ISE database [####------------------------------------] 10% Validating available disk space for cloning database [######----------------------------------] 15% Extracting base database files [##########------------------------------] 25% Cloning database [####################--------------------] 50% Exporting data from ISE database [##############################----------] 75% Importing data into cloned database [########################################] 100% Successful Copy upgrade files N/A Data upgrade on cloned database Modifying upgrade scripts to run on cloned database Successful [...] Data upgrade step 43/43, GuestAccessUpgradeService(2.7.0.356)… Done in 4 seconds. Successful Running data upgrade for node specific data on cloned database Successful Time estimate for upgrade (Estimates are calculated based on size of config and mnt data only. Network latency between PAN and other nodes is not considered in calculating estimates) Estimated time for each node (in mins): Ciscozine-ISE-01(PRIMARY PAP,MNT):95 Ciscozine-ISE-02(SECONDARY PAP,MNT,PDP):97 Each PSN(2 if in parallel):60 Final cleanup before exiting… Application successfully installed Ciscozine-ISE-02/admin#
Note: If URT ends with errors, open a TAC.
Note: URT gives you a preview of the amount of time the upgrade process takes.
Upgrade a distributed deployment
Go to the Cisco software central, download the upgrade bundle and verify it with md5 or sha512 checksum.
Start the upgrading process with this order:
- Upgrade secondary administration node
- Upgrade monitoring node (primary or secondary is indifferent)
- Upgrade policy service nodes
- Upgrade primary administration node
Note: Don’t worry, Cisco upgrade wizard will remember the correct order.
After the upgrade, the Secondary Administration Node becomes the Primary Administration Node, and the original Primary Administration Node becomes the Secondary Administration Node.
In the Edit Node window, click Promote to Primary to promote the Secondary Administration Node as the Primary Administration Node.
Upgrade a standalone deployment
Upgrade a standalone Cisco ISE is very easy. Download the upgrade file, select the node and start the upgrade process.
Suggestion
- Upgrade to the latest patch in the existing version before starting the upgrade.
- It is a best practice to archieve the old logs and not transit them to the new deployments. This is because operational logs restored in the MnTs are not synchronized to different nodes in case you change the MnT roles later.
- When upgrading Cisco ISE using the GUI, note that the timeout for the process is four hours. If the process takes more than four hours, the upgrade fails.
References: