Re: Upgrading a distributed deployment to ise 1.2, licensing

Giuliano Gerardi · ‎09-03-2013

The current deployment is a 5 nodes (2adm 1mon 2psn)

what the docs report is:

You do not have to manually deregister the node before an upgrade. Use the application upgrade command to upgrade nodes to Release 1.2. The upgrade process deregisters the node automatically and moves it to the new deployment. If you manually deregister the node before an upgrade, ensure that you have the license file for the Primary Administration node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example), contact the Cisco Technical Assistance Center for assistance.

we have a 10k base licence+ 100 advanced (only pri adm registered)

deployment is 1y old

what happens after the secondary admin node has been upgraded to 1.2?

will it be accessiblevia gui? will it have a new grace period licence? will it use the other admin node licence?

this cause during the upgrade we will need to check the "new" 1.2 admin status to proceed with the other nodes...

thank you

Venkatesh Attuluri · ‎09-03-2013

For distributed deployments, the upgrade process follows a Split Deployment model. After you upgrade the secondary Administration node to the new release, Cisco ISE creates a new deployment. The secondary Administration node from the old deployment becomes the primary Administration node in the new deployment. When you upgrade the rest of the nodes in the old deployment, they join the new deployment.

When you upgrade the secondary Administration node from the old deployment, it saves the old deployment configuration and also notifies the primary Administration node of the upgrade. The primary Administration node in the old deployment notifies the other nodes about the upgrade. After upgrade, the nodes from the old deployment join the primary Administration node in the new deployment. The upgrade process retains licenses and certificates. You do not have to reinstall or reimport them. Cisco ISE, Release 1.2, supports license files with two-node unique device identifiers (UDIs). You can request for a new license with the UDI of both the primary and secondary Administration nodes. See the Cisco Identity Services Engine Hardware Installation Guide for details.

http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html

Giuliano Gerardi · ‎09-03-2013

" The upgrade process retains licenses and certificates "

that is ok but which licese is retained the old admin one?

in such case will the secondary admin node (new primary for new deployment) be accessible via gui? (as the license is bonded to the old primary node?)

that is not clear...

Giuliano Gerardi · ‎09-04-2013

making an exmple:

5nodes deployment (2adm +1 mon+2psn)

more than 90 days elapsed since installation

license registered to node 1 ONLY (pri admin) 10k endpoints

upgrade procedure from 1.1.2 patch 8 to 1.2 of secondary admin (node 2) via cli command application upgrade....

right after node2 upgrade (and before any other node upgrade) what happens?

- will the node 2 be licensed with an inherited 10k endpoint license?

- will it have a new grace 100 endpoint period?

- will it be without any licence?

if it is true that the licence gets inherited then why Step 3 of the upgrade procedure says to obtain a new license that's tied to both node A & node B?

TY