Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2215
Views
5
Helpful
7
Replies

ISE upgrade 1.3 to 2.1 - Change Guest Operating System on VMWare

Go to solution
dot1x
Level 3
Level 3

‎12-13-2017 05:49 PM - edited ‎02-21-2020 10:41 AM

We intend to upgrade ISE from 1.3 to 2.1

The upgrade guide says: If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change.

 

This change of Guest OS is so confusing:

The Upgrade Guide 2.1 says:

 Prep for the Upgrade Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1  - Prepare for Upgrade [Cisco Identity Services Engine] - Cis…

If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.

 

Post-Upgrade Tasks Section: Cisco Identity Services Engine Upgrade Guide, Release 2.1  - Post-Upgrade Tasks [Cisco Identity Services Engine] - Cisc…

 

Ensure that the Guest Operating System on the VMware virtual machine is set to Red Hat Enterprise Linux (RHEL) 7 and the network adapter is set to E1000 or VMXNET3.

 

Should this be done before or after the upgrade?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-13-2017 07:32 PM

Hi

Last time i did this migration i changed the network adapter prior the upgrade and guest operating system after the upgrade.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-13-2017 07:32 PM

Hi

Last time i did this migration i changed the network adapter prior the upgrade and guest operating system after the upgrade.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
dot1x
Level 3
Level 3
In response to Francesco Molino

‎12-13-2017 08:41 PM

Thanks Francesco.
We have:
1st Node (Primary Admin/Secondary Monitoring).
2nd Node (Sec Admin / Pri Mon)
2 x PSNs
Could you please have a look at the following flow we'd take to upgrade:

1.  Take backup of Primary Admin Node.
2.  Update 1.3 latest patch one-by-one using CLI.
3.  Upgrade Secondary Admin Node.
4.  Deregister 2nd PSN manually, upgrade it and register with PAN of new deployment.
After this stage, we will have:
 
Old Deployment: 1 PAN, 1 PSN
New Deployment: 1 PAN, 1 PSN

At this stage; would this new deployment work and authenticate users?
After this is tested, we will proceed:
1.  Upgrade 1st PSN.
2.  Upgrade Old deployment PAN.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to dot1x

‎12-14-2017 05:38 PM

Hi

Here a link you can follow on how to upgrade:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/upgrade_guide/b_ise_upgrade_guide_20/Upgrade_Methods_for___Different_Types_of_Deployments.html#ID20

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
dot1x
Level 3
Level 3
In response to Francesco Molino

‎12-14-2017 05:40 PM

Thanks Francesco.
I'm following the guide, but our deployment is a bit different from the ones mentioned in the doc. So, I came up with this flow.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to dot1x

‎12-15-2017 07:54 AM

Can you explain how it's different?

You don't need to de-register your PSN nodes. Except if you're facing some issues during upgrade, you can deregister them and register them back to sync them back.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
dot1x
Level 3
Level 3
In response to Francesco Molino

‎12-15-2017 12:01 PM

Step 3   Upgrade the Policy Service Nodes (nodes C, D, E, and F) next. You can upgrade several PSNs in parallel, but if you upgrade all the PSNs concurrently, your network will experience a downtime.

If your PSN is part of a node group cluster, you must deregister the PSN from the PAN, upgrade it as a standalone node, and register it with the PAN in the new deployment.

 

Have you experienced anything like this where you'd have to upgrade PSNs which are in a node group?
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to dot1x

‎12-15-2017 03:05 PM

Yes in certain deployments I had to do that because on 1.3 you had the possibility to create a cluster and add all your PSNs in it. In that specific case, you have to deregister and register them back.

Not lot of ISE deployments are configured that way.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents