Cisco ISE 2.7 upgrade guide

One year ago, Cisco published the Cisco ISE 2.7 release. Now, this release is the suggested one.

It is possible to upgrade directly from release 2.2, 2.3, 2.4 or 2.6 and upgrading process can be done via GUI or CLI. This article will cover the easier method: upgrading Cisco ISE via GUI.

Backup configuration

Backup all configuration and monitoring data. This task should be done before initiating upgrade in order to ensure that you can easily roll back manually, if necessary.

Note: If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7 (64-bit) or Red Hat Enterprise Linux (RHEL) 6 (64-bit). To do this, you must power down the VM, update the Guest Operating System, and power on the VM after the change.

Check the Database

Use the Upgrade Readiness Tool (URT) in order to detect and fix any configuration data upgrade issues before you start the upgrade process. Most of the upgrade failures occur because of configuration data upgrade issues. The URT validates the data before the upgrade in order to identify, and report or fix the issue, wherever possible.

Download URT package

Select the release you want to upgrade (in this case 2.7) and download the Upgrade Readiness Tool file.

Cisco-download-URT
Copy the URT file in the Cisco ISE repository

Copy the file to the Cisco ISE repository; you can configure it going to “Administrator” -> “System” -> “Backup & restore”.

Run the URT Bundle

The URT can be run on a Secondary Administration Node, for high availability, or on the Standalone Node for a single-node deployment. No downtime is necessary when running this tool.

Access to the ISE CLI and type this command:

application install <urt-file> <repository-name>

Here an example of URT output:

Ciscozine-ISE-02/admin# application install ise-urtbundle-2.7.0.356-1.0.0.SPA.x86_64.tar.gz SYSLOG-FTP
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Getting bundle to local machine…
Unbundling Application Package…
Verifying Application Signature…
Initiating Application Install…
#
Installing Upgrade Readiness Tool (URT)
#
Checking ISE version compatibility
Successful
Checking ISE persona
Successful
Along with Administration, other services (MNT,SESSION) are enabled on this node. Installing and running URT might consume additional resources.
Do you want to proceed with installing and running URT now (y/n):y
Checking if URT is recent(<45 days old)
Note: URT is 330 days old and its version is 1.0.0. There might be a recent URT bundle on CCO, please verify on CCO
Do you want to proceed with this version which is 330 days old (y/n):y
Proceeding with this version of URT itself
Installing URT bundle
Successful
#
Running Upgrade Readiness Tool (URT)
#
This tool will perform following tasks:
Pre-requisite checks
Clone config database
Copy upgrade files
[...]
OS Check validation
5 out of 5 pre-requisite checks passed
Clone config database
[##--------------------------------------] 5% Validating connection to ISE database
[####------------------------------------] 10% Validating available disk space for cloning database
[######----------------------------------] 15% Extracting base database files
[##########------------------------------] 25% Cloning database
[####################--------------------] 50% Exporting data from ISE database
[##############################----------] 75% Importing data into cloned database
[########################################] 100% Successful
Copy upgrade files
N/A
Data upgrade on cloned database
Modifying upgrade scripts to run on cloned database
Successful
[...]
Data upgrade step 43/43, GuestAccessUpgradeService(2.7.0.356)… Done in 4 seconds.
Successful
Running data upgrade for node specific data on cloned database
Successful
Time estimate for upgrade
(Estimates are calculated based on size of config and mnt data only. Network latency between PAN and other nodes is not considered in calculating estimates)
Estimated time for each node (in mins):
Ciscozine-ISE-01(PRIMARY PAP,MNT):95
Ciscozine-ISE-02(SECONDARY PAP,MNT,PDP):97
Each PSN(2 if in parallel):60
Final cleanup before exiting…
Application successfully installed
Ciscozine-ISE-02/admin#

Note: If URT ends with errors, open a TAC.
Note: URT gives you a preview of the amount of time the upgrade process takes.

Upgrade a distributed deployment

Go to the Cisco software central, download the upgrade bundle and verify it with md5 or sha512 checksum.

Download Cisco ISE 2.7 upgrade bundle

Start the upgrading process with this order:

  1. Upgrade secondary administration node
  2. Upgrade monitoring node (primary or secondary is indifferent)
  3. Upgrade policy service nodes
  4. Upgrade primary administration node

Note: Don’t worry, Cisco upgrade wizard will remember the correct order.

Cisco-ISE-Dashboard
Open the dashboard and click on Upgrade link.
Cisco-ISE-Upgrade-Step-1
Click on the Upgrade tab.
Cisco-ISE-Upgrade-Step-2
Verify the checklist, then click on Continue button.
Cisco-ISE-Upgrade-Step-3
Select all nodes and click on Download.
Cisco-ISE-Upgrade-Step-4
A popup appears: select the upgrade bundle file from the repository and Confirm. The upgrade bundle file will be downloaded on all nodes.
Cisco-ISE-Upgrade-Step-5
When all nodes have downloaded the release, click on Continue.
Cisco-ISE-Upgrade-Step-6
Select the node and click on “play” button. As you notice, Cisco ISE GUI permits to select only secondary admin node. This is due to the Cisco upgrade process order.
Cisco-ISE-Upgrade-Step-7
A popup appears; click on the Continue button.
Cisco-ISE-Upgrade-Step-8
Click on the Upgrade button to start the upgrade for the secondary administration node.
Cisco-ISE-Upgrade-Step-10
Select the two PSN (policy service nodes) and click on “play” button.
Cisco-ISE-Upgrade-Step-11
A popup appears; click on the Continue button.
Cisco-ISE-Upgrade-Step-12
Select the last node and click on the “play” button.
Cisco-ISE-Upgrade-Step-13
A popup appears; click on the Continue button.
Cisco-ISE-Upgrade-Step-14
Click on the Upgrade button to start the process.

After the upgrade, the Secondary Administration Node becomes the Primary Administration Node, and the original Primary Administration Node becomes the Secondary Administration Node.

In the Edit Node window, click Promote to Primary to promote the Secondary Administration Node as the Primary Administration Node.

Upgrade a standalone deployment

Upgrade a standalone Cisco ISE is very easy. Download the upgrade file, select the node and start the upgrade process.

Suggestion

  • Upgrade to the latest patch in the existing version before starting the upgrade.
  • It is a best practice to archieve the old logs and not transit them to the new deployments. This is because operational logs restored in the MnTs are not synchronized to different nodes in case you change the MnT roles later.
  • When upgrading Cisco ISE using the GUI, note that the timeout for the process is four hours. If the process takes more than four hours, the upgrade fails.

References: