- Cisco Employee,
In this article I will discuss how to approach the upgrade to ISE 1.2 and some items to check immediately after it. Before we go into 1.2 specific upgrade points, the standard suggestions that I always give:
- Make sure you are on a stable platform to fall back on. While you can upgrade from any 1.1.x version to 1.2 directly, I highly recommend ISE 1.1.3 patch 3 as a fall back platform.
- Take an application only backup from Primary Admin Node (PAN) before upgrade.
- Download and store certificates and private key files for each node.
- Keep a copy of the output of ‘show run’ from each node.
- Take a note of profiling probes that you have enabled for each node.
- Make sure you have a copy of the license file.
ISE 1.2 specific pre-upgrade points:
- ISE 1.2 uses different replication ports. Ensure that Firewalls and ACLs allow these ports. Of particular importance are TCP/12001 between all nodes and the PAN and TCP/1528 between the PAN and Monitoring and Troubleshooting (MNT) nodes.
- ISE 1.2 runs on a 64 bit OS. If using Virtual Machines (VMs), ensure that the VM host will be able to support that.
- Upgrade of PAN and MNT node can take some time if the database is large.
- You can either upgrade or re-image the secondary nodes. There is no time benefit in re-imaging but I generally prefer a re-image over upgrade of secondary nodes.
- If you are re-imaging, you can clone a VM immediately after the installation but before your start the setup script to quickly make ISE 1.2 VMs without having to install on each node individually.
- Consider staging the upgrade file on the ISE node itself and upgrading from that. The upgrade file can be copied to ISE using the following commands:
copy ftp://<repository_url>/ise-upgradebundle-1.1.x-to-1.2.0.###.i386.tar.gz disk:/
To upgrade using this file, use the following command:
application upgrade ise-upgradebundle-1.1.x-to-1.2.0.###.i386.tar.gz local
- The nodes should be upgraded in the following sequence - Secondary PAN, then Primary MNT, PSNs, IPNs, then remaining MNT and PAN.
- There is no need to de-register each node before the upgrade because each node will learn of the upgrade process from PAN and automatically join the upgraded secondary PAN, after upgrade.
- No deployment can exist without a node in the MNT role. So, when you upgrade the Secondary PAN initially, it will assume the role of a PAN and MNT. After you upgrade the primary MNT to 1.2, disable the MNT role from the upgraded PAN.
- Similarly, before you upgrade the secondary MNT, enable MNT role for the remaining PAN. If this is not done, the upgrade of the secondary MNT will error out.
- Review the ISE 1.2 Upgrade Guide while planning the upgrade.
So finally the big upgrade is complete and you have a good-looking deployment. Before you start testing, there are a few things you should do:
- ISE 1.2 supports a dual node license. So after upgrade, either generate a new license containing information for both the Primary and Secondary PAN and apply it or promote the original primary back to primary.
- If the nodes are hosted on VMs, then shut down each node, edit their properties and change the operating system to Redhat Linux 64-bit.
- ISE 1.2 has separate databases for Internal users and Guest users. To avoid disruption of service, during upgrade each Identity Store Sequence will have a “Guest User” store added to it. Verify all Identity Sequences to ensure that guest users store is not allowed where is should not be.
- Review the ISE 1.2 upgrade guide once before wrapping up.
Wish you a smooth upgrade!
If you are wondering what some of the new numbers and configuration options mean, then keep watching this blog!