Upgrading to Identity Services Engine (ISE) 1.2


Fri, 11/29/2013 - 09:32
Jul 19th, 2013
User Badges:
  • Cisco Employee,

In this article I will discuss how to approach the upgrade to ISE 1.2 and some items to check immediately after it. Before we go into 1.2 specific upgrade points, the standard suggestions that I always give:

  • Make sure you are on a stable platform to fall back on. While you can upgrade from any 1.1.x version to 1.2 directly, I highly recommend ISE 1.1.3 patch 3 as a fall back platform.
  • Take an application only backup from Primary Admin Node (PAN) before upgrade.
  • Download and store certificates and private key files for each node.
  • Keep a copy of the output of ‘show run’ from each node.
  • Take a note of profiling probes that you have enabled for each node.
  • Make sure you have a copy of the license file.

ISE 1.2 specific pre-upgrade points:

  • ISE 1.2 uses different replication ports. Ensure that Firewalls and ACLs allow these ports. Of particular importance are TCP/12001 between all nodes and the PAN and TCP/1528 between the PAN and Monitoring and Troubleshooting (MNT) nodes.
  • ISE 1.2 runs on a 64 bit OS. If using Virtual Machines (VMs), ensure that the VM host will be able to support that.
  • Upgrade of PAN and MNT node can take some time if the database is large.
  • You can either upgrade or re-image the secondary nodes. There is no time benefit in re-imaging but I generally prefer a re-image over upgrade of secondary nodes.
  • If you are re-imaging, you can clone a VM immediately after the installation but before your start the setup script to quickly make ISE 1.2 VMs without having to install on each node individually.
  • Consider staging the upgrade file on the ISE node itself and upgrading from that. The upgrade file can be copied to ISE using the following commands:

conf t

repository local

url disk:/



copy ftp://<repository_url>/ise-upgradebundle-1.1.x-to-1.2.0.###.i386.tar.gz disk:/

To upgrade using this file, use the following command:

application upgrade ise-upgradebundle-1.1.x-to-1.2.0.###.i386.tar.gz local

  • The nodes should be upgraded in the following sequence - Secondary PAN, then Primary MNT, PSNs, IPNs, then remaining MNT and PAN.
  • There is no need to de-register each node before the upgrade because each node will learn of the upgrade process from PAN and automatically join the upgraded secondary PAN, after upgrade.
  • No deployment can exist without a node in the MNT role. So, when you upgrade the Secondary PAN initially, it will assume the role of a PAN and MNT. After you upgrade the primary MNT to 1.2, disable the MNT role from the upgraded PAN.
  • Similarly, before you upgrade the secondary MNT, enable MNT role for the remaining PAN. If this is not done, the upgrade of the secondary MNT will error out.
  • Review the ISE 1.2 Upgrade Guide while planning the upgrade.

So finally the big upgrade is complete and you have a good-looking deployment. Before you start testing, there are a few things you should do:

  • ISE 1.2 supports a dual node license. So after upgrade, either generate a new license containing information for both the Primary and Secondary PAN and apply it or promote the original primary back to primary.
  • If the nodes are hosted on VMs, then shut down each node, edit their properties and change the operating system to Redhat Linux 64-bit.
  • ISE 1.2 has separate databases for Internal users and Guest users. To avoid disruption of service, during upgrade each Identity Store Sequence will have a “Guest User” store added to it. Verify all Identity Sequences to ensure that guest users store is not allowed where is should not be.
  • Review the ISE 1.2 upgrade guide once before wrapping up.

Wish you a smooth upgrade!

If you are wondering what some of the new numbers and configuration options mean, then keep watching this blog!

Tarik Admani Fri, 07/26/2013 - 16:27
User Badges:
  • Green, 3000 points or more

Great article, how that ISE 1.2 is out I have my weekend planned out.

jan.nielsen Tue, 08/13/2013 - 07:26
User Badges:
  • Gold, 750 points or more

Thanks for this description, i have one question though :

Upgrade of PAN and MNT node can take some time if the database is large.

What does that mean, how long are we talking an hour, 10 hours, a day ?

Vivek Santuka Tue, 08/13/2013 - 07:38
User Badges:
  • Cisco Employee,


Its difficult to estimate the time that the upgrade can take because it really depends on the database. Generally speaking, a PAN is more predictable and can take upto 3-4 hours. MNT on the other hand is unpredictable because the database can be as large as 180GB. I can suggest the following to reduce the time:

1. Install 1.2 on a VM and restore the database from ISE (version 1.1.x only). This process will use considerably less time.

2. If you do not need to retain logs across versions, then you can always reimage the MNT to 1.2 and add it to the upgraded deployment.

3. If you are on ISE 1.1.3 patch 3 or above, you can reduce the retention period of the logs and have ISE purge anything older than that period. This will reduce the MNT data size.

andrew.chappelle Wed, 11/13/2013 - 16:36
User Badges:


Good synopsis, thank you.

I am doing a distributed deployment (2 PSN, 2 PAN) upgrade from 1.1.13 to 1.2 and when running the application upgrade command, it tells me it cannot because the package is intended for an x86_64 architecture.  Is that not the point of the upgrade package, to convert to 64 bit?  The VM BIOS has been changed to support 64 bit.  Odd

wmtopahwmtopah Fri, 11/29/2013 - 06:14
User Badges:

anyone know why our upgrade fails, tried several times.. all atempts end with this log:

- Data upgrade step 80/80, NSFUpgradeService( Done in 0 seconds.

STEP 5: Running ISE configuration data upgrade for node specific data...

STEP 6: Running ISE MnT DB upgrade...

Upgrading Session Directory...


- Mnt Schema Upgrade completed, executing sanity check...

% Mnt Db Schema Sanity success

Generating Database statistics for optimization ....

- Preparing database for 64 bit migration...

error: unpacking of archive failed: cpio: Bad magic

% Application not upgraded. Please see application documentation for upgrade limitations.

Naresh Ginjupalli Fri, 11/29/2013 - 09:21
User Badges:
  • Cisco Employee,


The possible reason of the upgrade failure would be because of the corruption in the rpm package files of the operating system. If possible can you please give a quick try on re-imaging the ISE node to ISE 1.2 directly and then restoring the ISE 1.1.x data into ISE 1.2.


This Blog