Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

Need help from ISE experts/gurus in this forum.

Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 

Scenario: 

- 4 nodes in the environment running ISE version 1.1.2.145 patch 3

- node 1 is Primary Admin and Secondary Monitoring - hostname is node1

- node 2 is Secondary Admin and Primary Monitoring - hostname is node2

- node 3 is Policy service node - hostname is node3

- node 4 is Policy service node - hostname is node4

Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.

My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3

to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with

upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 

Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?

I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.

I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 

Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?

Propose solution: 

step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 

         Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,

step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10

         to ISE node1 via the GUI,

step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,

step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,

step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,

Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?

Propose solution:

step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring

step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will

          form a new ISE 1.2 cluster independent of the old cluster,

step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE

          Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2

step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE

          Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2

step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring

step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)

step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"

step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,

step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,

Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?

Propose solution: 

step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 

         Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,

step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601

         to ISE node1 via the GUI,

step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,

step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,

step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,

does these steps make sense to you?

Thanks in advance.

1 REPLY

Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 u

David,

A few answers to your questions -

Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released

https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12

You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.

Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.

I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.

I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).

I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).

Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.

Once the restore finished, I then restored the certificate and picked one of the PSNs

  • backup the cert,
  • Had the AD join user account handy
  • reset-db,
  • and run the upgrade script.
  • Once that is done I then restore the cert
  • Join the PSN to the new deployment
  • Join both nodes to AD through primary admin node
  • Monitor for a few days (seperate consoles to make sure everything runs smooth)

If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.

Thanks and I hope that helps,

Tarik Admani

*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
770
Views
0
Helpful
1
Replies
CreatePlease to create content