Upgrade ISE with Full Upgrade Method

Available Languages

Download Options

  • PDF     (1.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.6 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.2 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:January 27, 2024
Document ID:217509

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to upgrade an existing ISE deployment from version 2.7 to 3.1 using the Full Upgrade method. 

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics: 

    • Identity Services Engine (ISE) 
    • Understanding of terminology used to describe different types of ISE deployments 

      

    Components Used 

    The information in this document is based on these software and hardware versions: 

    • ISE, Release 2.7, patch 4
    • ISE, Release 3.1

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Note: The procedure is similar or identical to other ISE versions. These steps can be used on 2.6 to upgrade to 3.1 and the ISE Software Releases unless stated otherwise.

    Background Information

    It also includes how to use the Health Checks feature to detect and fix any potential deployment issues. The legacy method of upgrade is now termed as Split Upgrade and is available as an alternate option if the Full Upgrade method is not preferred.

    Supported Paths

    Full upgrade to ISE 3.1 is supported from

    • ISE 2.6 patch 10 and later
    • ISE 2.7 patch 4 and later
    • ISE 3.0 patch 3 and later

    Split upgrade to ISE 3.1 is supported from ISE 2.6 and later versions, with or without any patch.

    Comparison of Full Upgrade with Split Upgrade Method

    Sequence of Node Upgrade with Split Upgrade Method in a Distributed Deployment

    Requires a minimum of 5 steps for a fully distributed deployment to upgrade to the newer version.

    Sequencing of Nodes in Split Upgrade Method

    Considering approximate 240 minutes for each step, the total upgrade process here would take 240*5 minutes = 20 hours.

    Sequence of Node Upgrade with Full Upgrade Method in a Distributed Deployment

    Requires only 2 steps for a fully distributed deployment to upgrade to the newer version.

    Sequencing of Nodes in Full Upgrade Method

    Again, considering approximate 240 minutes for each step, the total upgrade process is now reduced to 240*2 minutes = 8 hours.

    Advantages of Full Upgrade over Split Upgrade Method

    • The Full Upgrade method consumes lesser time for the overall activity because the nodes are upgraded in parallel, whereas the Split Upgrade method needs to be planned well with a longer duration of the maintenance window.
    • The Full Upgrade method is hassle-free in terms of upgrade sequence as there are just 2 steps. The Split Upgrade method requires the nodes to be sequenced appropriately before starting the upgrade process.
    • The Full Upgrade method retains the roles and personas as it was prior to the upgrade. The Split Upgrade method switches the primary and secondary admin roles in the upgraded version.
    • The points of failures have been reduced in the Full Upgrade method by eliminating the API dependency with deployment-related changes during the upgrade process.
    • The Full Upgrade method allows to track the upgrade status from the secondary admin node when the primary admin node goes down for an upgrade. This is not possible in the Split Upgrade method.
    • Patch installation post-upgrade is automated and is provided as an option in the Full Upgrade method.

    Caution: Full upgrade requires a complete downtime because all the PSNs go down for upgrade at the same time. Ensure that the activity is planned during a scheduled maintenance window.

    Full Upgrade Flow

    This document demonstrates the upgrade flow of a 4 node deployment. The overall process remains the same for two-node or other multi-node deployments.

    Example for a Deployment

    Upgrade UI

    Navigate to Administration > System > Upgrade in order to begin the activity as shown in the image.

    Selecting Full Upgrade Option

    Note: Only the Split Upgrade method is supported on ISE 2.6 patch 9 and below, ISE 2.7 patch 3 and below, and ISE 3.0 patch 2 and below. By default, the Split Upgrade window is launched for these versions. The Split Upgrade process can be referred from here. Select the Full Upgrade radio button and click Start Upgrade.

    Welcome Page

    Full Upgrade Welcome Page

    On the welcome page wizard, click Next in order to proceed further.

    Checklist

    Review the checklist and ensure to complete the tasks before you proceed further.

    Checklist for Upgrade

    Tick the checkbox that states I have reviewed the checklist and click Next.

    Prepare to Upgrade

    A pre-check is run on the complete deployment prior to the upgrade and the results are displayed on this page. Apart from the checks, at this step the upgrade bundle is downloaded on all the nodes, offline data upgrade (ODU) is run on the secondary admin node (this is analogous to the Upgrade Readiness Tool (URT) simulation of the Split Upgrade method) and finally, it also displays the time estimate for the activity.

    Upgrade bundle is to be downloaded from the Cisco Software Download page.

    The Upgrade Bundle on Cisco.com

    In order to run the pre-upgrade check, select the Repository name in which the upgrade bundle is placed. Select the upgrade bundle file name from the Bundle dropdown box.

    Note: Full Upgrade method also introduces automatic patch installation post-upgrade. The patch file is to be placed in the same repository along with the upgrade bundle and the patch file name can be selected from the dropdown if automatic patch installation is desired.

    Prepare to Upgrade

    Click on Start Preparation in order to start running the pre-checks. All the prechecks, except the Bundle Download and Configuration Data Upgrade check expire automatically after 4 hours of initiating the system validation. Configuration Data Upgrade, which is nothing but the ODU, expires after 12 hours.

    System Pre-check Before Upgrade

    Note: Disable PAN failover setting before upgrade activity. If not done manually, it gets automatically disabled once the upgrade is triggered.

    Note: ISE 3.0 and listed mandates the use of Smart Licensing. It does not support Traditional Licensing. In case Smart Licensing is not enabled or registered prior to the upgrade, ISE lands on Smart Licensing Evaluation period by default post-upgrade. License Migration reference link: Products - ISE Licensing Migration Guide - Cisco. When you upgrade ISE from 2. x to 3.x, it involves licensing tier changes.

    Caution: All types of configuration changes on ISE are to be avoided once the Configuration Data Upgrade is triggered. Any changes made would be lost after the upgrade.

    If any of the component pre-checks fail, they are displayed in red or orange colour based on their criticality. The failures highlighted in red need to be mandatorily rectified before proceeding further. The warnings highlighted in orange cannot stop the upgrade process, however, it is good to fix them as best practice and to avoid impacting the deployment features and functionalities in future.

    Once the errors are rectified, click on Start Staging to proceed further.

    Upgrade Staging

    During upgrade staging, the upgraded database file is copied to all the nodes in the deployment and the configuration files are backed up on all nodes of the deployment.

    The dump file is already present on the Secondary admin node as part of the ODU. Hence, in this step, the secondary admin node only creates backup files for CA NSS DB, Smart Licensing and DHCP/DNS configuration. All other nodes also create these files but need to additionally copy the dump file from the secondary admin node.

    Upgrade Staging

    Click Next when the staging completes for all the nodes.

    Upgrade Nodes

    Click on Start in order to trigger the upgrade.

    Upgrading Nodes

    A pop-up message confirms that the upgrade is triggered and all the nodes are displayed in a queue with the upgrade status. Since the upgrade is initiated on the primary admin node first, the system logs out of this node and now the upgrade status can be monitored from the secondary admin node's GUI. Navigate to Administration > System > Upgrade on the secondary admin node's GUI in order to continue viewing the status.

    Progress of Upgrade from Secondary PAN

    Once the primary admin node gets upgraded and the services come up, the system logs out of the secondary admin node's GUI. Users can now switch back to monitoring the status from the primary admin node's GUI while all the other nodes of the deployment go down for the upgrade simultaneously.

    Progress of Upgrade from Primary PAN

    Once all the nodes get upgraded successfully, the status changes to green colour.

    Upgrade Completion Status

    If there are any failed nodes, a pop-up window with information about the failed node is displayed. Click OK in the popup window to de-register the failed nodes from the deployment. These have to be individually upgraded/re-imaged and joined back to the deployment if any.

    Click Next in order to view the overall upgrade summary reports.

    Summary

    After the upgrade process is complete, the diagnostic upgrade reports for the deployment can be viewed and downloaded from this page.

    Upgrade Summary

    Health Checks

    In order to validate the deployment status post-upgrade, a health check runs automatically to verify the deployment's status. This report can be downloaded from the Summary page of the upgrade flow. If an on-demand health check is required at any point in time, navigate to Administration > System > Health Checks and click on Start Health Checks.

    Health Check After Upgrade

    Post Upgrade Tasks

    When a user logs in to the primary admin node's GUI after you complete the upgrade, a pop-up message is displayed regarding post-upgrade tasks.

    Post-Upgrade Tasks

    Click the post-upgrade tasks hyperlink on the pop-up message in order to review the task details and complete them.

    Issues and Remedies

    1. If the primary admin node upgrade fails, promote the secondary admin to the primary admin and then re-try the upgrade.
    2. If the upgrade fails on any other node apart from primary admin, the node would have to be deregistered from the deployment. This node has to be upgraded individually or reimaged directly to the upgraded version and can be joined back to the deployment.

    Revision History

    Revision Publish Date Comments
    4.0
    27-Jan-2024
    Fixed machine translation, introduction, and SEO optimization.
    3.0
    17-Nov-2021
    Formatting edits.
    2.0
    30-Oct-2021
    Initial Release
    1.0
    30-Oct-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Viraj Nagarmunoli
      Security Architect Lead
    • Rini Santra
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products