Understanding new split upgrade on Cisco ISE

Available Languages

Download Options

  • PDF     (2.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.5 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.7 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 29, 2023
Document ID:220857

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This article describes the enhaced split upgrade feature introduced in 3.2 P3 compared with the traditional split upgrade method.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic knowledge of Cisco Identity Service Engine

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    GUI upgrade methods

    • Split
      • Multi-step sequential process to upgrade your deployment while the services are available.

    Old split upgradeOld split upgrade

    • Full
      • Two-step process to upgrade all nodes in parallel with service outage.
      • Takes lesser time than split upgrade.

    Full upgradeFull upgrade

    • New split
      • Upgrade in batches
      • Increase stability and reduce downtime.
      • Lesser time than old split upgrade.
      • Pre-checks.
      • No URT.

    New split upgradeNew split upgrade

    Upgrade paths

    • 2.6, 2.7, 3.0 > SPLIT/FULL > 3.1
    • 2,7, 3.0, 3.1 > SPLIT/FULL > 3.2
    • 3.0, 3.1, 3.2 > SPLIT/FULL > 3.3
      • Satarting 3.2 P3 the new split upgrade replaced old split upgrade leaving two options only: Full upgrade and New Split.

    New vs Old split upgrade

    Old split upgrade process

    joncasil_0-1692908130909Old split upgrade steps

    1. SPAN: Deregister, config data upgrade, promote to PAN.

    2. pMnT: Deregister, Register in new deployment, Download and Import operational data upgrade.

    3. PSN1: Deregister, register in new deployment, download and import data.

    4. PSN2: Deregister, register in new deployemnt, download and import data.

    5. sMnT: Deregister, register in new deployment, download and import operational data upgrade.

    6. PPAN: Register, Download, and import data, promote SPAN so as to make same deployment as before the upgrade.

    joncasil_1-1693329658995Old split vs new split

    New split upgrade - Wizard

    joncasil_2-1692908558719Step1

    joncasil_3-1692908577273Step2. Checklist

    joncasil_4-1692908609320Step3. Select nodes

    joncasil_5-1692908643516Step4. Prepare to upgrade

    joncasil_6-1692908929538Step5. Upgrade staging

    joncasil_7-1692908960216Step6. Upgrade nodes

    joncasil_8-1692908973592Summary page

    note-icon

    Note: The same steps are repeated per iteration.

    Detailed steps

    STEP 3 Select nodes for iterations

    Different iterations can be selected for the same deployment.

    joncasil_1-1692910405947Iteration options

    In the case of 2 iterations, Step 3 begins selecting the nodes.

    joncasil_5-1692911080638Iteration1 node selection

    STEP 4. Prepare for Upgrade

    joncasil_6-1692911388355Node selection

    Prejoncasil_7-1692911526921Prechecks

    • Repository validation Checks if repository is configured for all the nodes
    • Bundle Download Helps to download.
    • Memory Check Checks whether 25% memory space is available on the PAN node, and 1GB space memory space is available in other nodes.
    • Patch bundle download Helps to download the patch bundle for the selected nodes.
    • PAN Failover validation check Check if PAN high-availability is enabled. WIll be notified that PAN failover is going to be disabled if it is enabled.
    • Scheduled Backup Check Checks whether the scheudled backup is enabled. - not mandatory.
    • Config Backup Check Checks whether configuration backup was done recently. Upgrade process runs only after the backup is completed.
    • Configuration Data Upgrade Runs the configuration data upgrade on the configuration database clone and creates the upgrade data dump. This check starts after the bundle download.
    • Services or Process Failures Indicates the state of the service or application (whther it is running or in a failed state)
    • Platform support check Checks the supported platfroms in the deployment. It checks whether the system has a minimum of 12 core CPUs, 300-GB hard disk, and 16-GB memory. It also checks whether the ESXi version is 6.5 or later.
    • Deployment validation Checks the state of the deployment node (whether it is in sync or in porgress)
    • DNS Resolvability Checks for the forward and reverse lookup of host name and IP address.
    • Trust Store Cert Validation Checks whether the trust store certificate is valid or has expired.
    • System Cert Validation Checks the system certificate validation for each node.
    • Disk Space Check Checks whether the hard disk has enough free space to continue with the upgrade process.
    • NTP Validation Checks for the NTP configured in the system and whther the time source is from the NTP server.
    • Load Average Check Checks the system load on a specific interval. The frequency can be 1,5 or 15 minutes.
    note-icon

    Note: Not all prechecks are applicable in all nodes, some of them are only run in the PAN.

    • All nodes
      • Repository validation
      • Bundle donwload
      • Memory check
      • Patch bundle donwload
      • Service or process failures
      • Platfrom support check
      • DNS resolvability
      • Disk Space check
      • NTP validation
      • Load average check.
    • Only on PAN
      • PAN failover validation check
      • Scheduled backup check
      • Config backup check
      • Configuration data upgrade
      • Deployment validation
      • Trust store cert validation
      • System cert validation

    The status for all pre-checks can be:

    • Sucess
    • Warning
    • Failure

    Once fixed, the prechecks with Warnings and Failures can be revaluated.

    joncasil_0-1692913633819Precheck status

    note-icon

    Note: ISE services will continue to run while prechecks are executed. Report will be valid for 12 hours during which upgrade can be triggered.

    note-icon

    Note: Bundle download, patch bundle download, platfrom check, configuration data upgrade and disk space check are valid for 12 hours. Other prechecks get expired after 3 hours and can be revalidated using refresh failed checks button or individual refresh button.

    STEP 5. Staging

    Once all prechecks passed successfully the next step, staging, the PAN copies the config database dump prepared in earlier step to the rest of the nodes in the iteration.

    Iterjoncasil_1-1692914094145Staging

    note-icon

    Note: Proceeding to upgrade staging (by clicking start staging) step will not cause suspension of any ISE services. Precheck will continue execution in the background even if ISE UI is closed.

    STEP 6. Upgrade

    • All the nodes in the iteration are upgraded in parallel, hence services are disrupted.
    • Each node has a its own progress bar and there is another one for the overall progress of the iteration.
    • The upgrade progress is monitored via PPAN.

    joncasil_3-1692914377225Upgrade

    Iteration 2

    • Same prechecks applies.
    • During staging the config database dump (not the upgrade bundle) is copied from the "new" PPAN in 3.3 from iteration 1.

    joncasil_4-1692914765745Iteration 2, staging

    • Nodes are upgraded and status is monitored via new PPAN (3.3)

    joncasil_0-1693329135755Iteration 2, upgrade

    Troubleshooting

    Pre-Checks Failed

    Refer to the ADE.log and ise-psc.log files.

    show logging system ade/ADE.log
    show logging application ise-psc.log

    Configuration Data Upgrade Check

    Refer to ADE.log, configdb-upgrade-[timestamp].log and dbupgrade-data-global-[timestamp].log on secondary admin node.

    show logging system ade/ADE.log
    show logging application configdb-upgrade-[timestamp].log
    show logging application dbupgrade-data-global-[timestamp].log
    note-icon

    Note: When you collect the Support Bundle, make sure to enable full configuration database check to include configdb-upgrade logs.

    Upgrade Issues, log collection

    Upgrade failed in one of the nodes and cannot continue with rest of the deployment.

    Refer to:

    • ADE.log
    • ise-psc.log
    show logging system ade/ADE.log
    show logging application ise-psc.log

    Additional logs:

    • monit.log

    Upgrade issues, fix it

    joncasil_0-1693332346491Troubleshooting actions

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    29-Aug-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jonathan Casillas
      Security Technical Leader

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco