Guidelines to Minimize Upgrade Time and Maximize Efficiency during Upgrade
The following guidelines help you address the issues in your current deployment that you might encounter during the upgrade process. Thus, reducing the overall upgrade downtime with increased efficiency.
-
Upgrade to the latest patch in the existing version before starting the upgrade.
-
We recommend that you test the upgrade in a staging environment to identify and fix any upgrade issues before upgrading the production networks.
-
All the nodes in the Cisco ISE deployment should be in the same patch level in order to exchange data.
Note
If all the nodes in your deployment are not on the same Cisco ISE version and patch version, you will get a warning message: Upgrade cannot begin . This message indicates that the upgrade is in a blocked state. Ensure that all the nodes in the deployment are in the same version (including the patch version, if any) before you begin the upgrade process.
-
Based on the number of PSNs in your deployment and availibilty of personnels, you can install the final version of Cisco ISE you need to upgrade to, apply latest patch, and keep it ready.
-
In case you want to reatain the MnT logs, perform the above tasks for MnT nodes and join the new deployment as MnT nodes. However, if you do not need to retain the operational logs, you can skip the step by re-imaging the MnT nodes.
-
Cisco ISE installation can be done in parallel if you have multi-node deployment without impact to the production deployment. Installing ISE server’s in-parallel saves time especially when you are using backup and restore from a previous release.
-
PSN can be added to the new deployment to download the existing polices during the registration process from the PAN. Use ISE latency and bandwidth calculator to understand the latency and bandwidth requirement in Cisco ISE deployment.
-
It is a best practice to archive the old logs and not transit them to the new deployments. This is because operational logs restored in the MnTs are not synchronized to different nodes in case you change the MnT roles later.
-
If you have two Data Centers (DC) with full distributed deployment, upgrade the backup DC and test the use cases before upgrading primary DC.
-
-
Download and store the upgrade software in a local repository before upgrade to speed up the process.
-
Use the Upgrade Readiness Tool (URT) to detect and fix any configuration data upgrade issues before you start the upgrade process. Most of the upgrade failures occur because of configuration data upgrade issues. The URT validates the data before upgrade to identify, and report or fix the issue, wherever possible. The URT is available as a separate downloadable bundle that can be run on a Secondary Policy Administration node or standalone node. There is no downtime to run this tool. The following video explains how to use the URT: https://www.cisco.com/c/en/us/td/docs/security/ise/videos/urt/v1-0/cisco-urt.html
Warning
Do not run the URT on the Primary Policy Administration Node. The URT tool does not simulate MnT operational data upgrades.
-
When upgrading Cisco ISE using the GUI, note that the timeout for the process per node is four hours. If the process takes more than four hours, the upgrade fails. If upgrading with the Upgrade Readiness Tool (URT) will take you more than four hours, Cisco recommends that you use CLI for this process.
-
Take the backup of load balancers before changing the configuration. You can remove the PSNs from the load balancers during the upgrade window and add them back after the upgrade.
-
Disable automatic PAN Failover (if configured) and disable Heartbeat between PANs during the upgrade.
-
Review the existing policies and rules and remove outdated, redundant, and stale policy and rules.
-
Remove unwanted monitoring logs and endpoint data.
-
You can take a backup of configuration and operations logs and restore it on a temporary server that is not connected to the network. You can use a remote logging target during the upgrade window.
You can use the following options after the upgrade to reduce the number of logs that are sent to MnT nodes and improve the performance:
-
Use the MnT collection filters (Administration > System > Logging > Collection Filters) to filter incoming logs and avoid duplication of entries in AAA logs.
-
You can create Remote Logging Targets (Administration > System > Logging > Remote Logging Targets) and route each individual logging category to specific Logging Target (System > Logging > Logging categories).
-
Enable the Ignore Repeated Updates options in the Administration > System > Settings > Protocols > RADIUS window to avoid repeated accounting updates.
-
-
Download and use the latest upgrade bundle for upgrade. Use the following query in the Bug Search Tool to find the upgrade related defects that are open and fixed: http://cs.co/ise-upgrade-bugsearch
-
Test all the use cases for the new deployment with fewer users to ensure service continuity.