Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4
Upgrading Cisco ISE
Downloads: This chapterpdf (PDF - 159.0KB) The complete bookPDF (PDF - 3.89MB) | Feedback

Upgrading Cisco ISE

Table Of Contents

Upgrading Cisco ISE

Before You Begin

Upgrading the Cisco ISE Node

Performing an Application Upgrade from the CLI

Upgrading Cisco ISE on a Standalone Node

Upgrading Cisco ISE in a Distributed Deployment

Replacing Cisco ISE Appliance Running ISE 1.0 Software with Cisco ISE Appliance Running Cisco ISE Maintenance Release 1.0.4

Replacing Cisco ISE Standalone Appliance Running ISE 1.0 Software with a Cisco ISE Appliance Running Cisco ISE Maintenance Release 1.0.4

Replacing a Subset of Cisco ISE 1.0 Nodes with Cisco ISE Appliances Running Maintenance Release 1.0.4 in a Distributed Deployment

Replacing All Cisco ISE Appliances Running ISE 1.0 Software with Cisco ISE Appliances Running Cisco ISE Maintenance Release 1.0.4 in a Distributed Deployment

Recovering from Upgrade Failures

Recovering from Upgrade Failures on a Standalone or Primary Node

Recovering from Upgrade Failures on a Secondary Node


Upgrading Cisco ISE


You can upgrade Cisco ISE from a previous major release or maintenance release to the latest Cisco ISE Maintenance Release 1.0.4. In addition, you can also migrate from Cisco Secure Access Control System (ACS) 5.1 and 5.2 releases to the latest Cisco ISE Maintenance Release 1.0.4.

You cannot migrate to the latest Cisco ISE Maintenance Release 1.0.4 from Cisco Secure ACS 4.x or lower versions, or from a Cisco Network Admission Control (NAC) appliance.

For information on migrating from Cisco Secure ACS 5.1 and 5.2 releases to the latest Cisco ISE Maintenance Release 1.0.4, see the Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.0.4.


Note You can migrate to the latest Cisco ISE Maintenance Release 1.0.4 only from the latest ACS 5.x release. You must upgrade to the latest ACS 5.x release before you plan to migrate to the latest Cisco ISE Maintenance Release 1.0.4.


This chapter describes the following procedures:

Before You Begin

Upgrading the Cisco ISE Node

Recovering from Upgrade Failures

Before You Begin

Before you upgrade your deployment, you must do the following:

Obtain a backup of Cisco ISE configuration data and Cisco ADE operating system data.

If you are performing a split deployment upgrade and you have a secondary Cisco ISE Administration node in your deployment that has been operational for more than 90 days, you must obtain a valid license for the secondary Cisco ISE Administration node (ISE Node B), either an evaluation license or a license based on its UDI.


Note You cannot preinstall or install a license on the secondary Cisco ISE Administration node at runtime. You can install the license only after the node has been promoted to become the primary Cisco ISE Administration node.


Upgrading the Cisco ISE Node


Note There is a known issue regarding default "admin" administrator user interface access following upgrade from Cisco Identity Services Engine Release version 1.0.3.377 to Cisco Identity Services Engine Maintenance Release 1.0.4.573. See the "Known Issues" section of the Release Notes for Cisco Identity Service Engine, Release 1.0.4. for details.


You can upgrade Cisco ISE from the previous release to the next release. The previous release may include patches that are already installed on it or it can be any maintenance release.

For example, you can upgrade Cisco ISE, Release 1.0 to the latest Cisco ISE Maintenance Release 1.0.4 and then upgrade the maintenance release to the next future release later.

The following two upgrade options are available:

Perform an application upgrade from the CLI.

For more information, see Performing an Application Upgrade from the CLI.

Replace the old Cisco ISE 1.0 appliance with a new Cisco ISE appliance running the latest Cisco ISE Maintenance Release 1.0.4.

For more information, see the Replacing Cisco ISE Appliance Running ISE 1.0 Software with Cisco ISE Appliance Running Cisco ISE Maintenance Release 1.0.4.


Note Cisco strongly recommends that you delay any deployment configuration changes like changing node personas, system synchronization, node registration or deregistration, etc. until all nodes in your deployment are completely upgraded. (One exception to this recommendation, however, involves steps required to recover from a failed upgrade, as described in Recovering from Upgrade Failures.)


Performing an Application Upgrade from the CLI

Cisco ISE also provides you an application upgrade from Cisco ISE, Release 1.0 and Cisco ISE Maintenance Release 1.0.4.558 to the latest Cisco ISE Maintenance Release 1.0.4.573 directly from the CLI. This option allows you to install the new Cisco ISE software on the appliance and simultaneously upgrade configuration and monitoring information databases.

To perform an application upgrade, from the Cisco ISE CLI, enter:

application upgrade application-bundle repository-name

where

application-bundle is the name of the application bundle to upgrade the Cisco ISE application

repository-name is the name of the repository

For more information, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.


Note Before proceeding, Cisco recommends reviewing all of the following sections for information on how to perform upgrade on different types of nodes.


You can use the application upgrade command from the CLI to upgrade Cisco ISE from the previous version to the current version in the following cases:

Upgrading Cisco ISE on a standalone node that assumes Administration, Policy Service and Monitoring personas.

Upgrading Cisco ISE on a distributed deployment.


Note Perform an on-demand backup (manually) of the Primary administration node before upgrading Cisco ISE.


To validate the upgrade process, do one of the following:

Check the ade.log file for the upgrade process.

To download the ade.log file, see "Downloading Support Bundles" section in Chapter 23 of the Cisco Identity Services Engine User Guide, Release 1.0.4.

Run the show version CLI command to verify the build version.

Upgrading Cisco ISE on a Standalone Node

You can execute the application upgrade command from the CLI on a standalone Cisco ISE node that assumes the Administration, Policy Service, and Monitoring personas.

To upgrade Cisco ISE on a standalone node:


Step 1 Perform an on-demand backup (manually) of the Primary Administration ISE node from the admin user interface or CLI and an on-demand backup of the Monitoring node from the admin user interface before upgrading Cisco ISE.

For more information on how perform on-demand backup, see the "On-Demand Backup" section of the Cisco Identity Services Engine User Guide, Release 1.0.4.

Step 2 Launch the application upgrade command from the Cisco ISE CLI. This process internally upgrades the application binaries, the DB schema, and the datamodel module. It also handles upgrading any ADE-OS operating system updates.

If a system reload is required to complete the upgrade process, the Cisco ISE node is restarted automatically following successful upgrade.

The CLI transcript for a successful upgrade on a stand-alone node should look like the following:

ise-vm29/admin# application upgrade ise-appbundle-1.0.4.573.i386.tar.gz disk
Save the current ADE-OS running configuration? (yes/no) [yes]? 
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
###############################################################
NOTICE: ISE upgrade requires you to change the database
administrator and database user password. You will be
prompted to change these passwords after the system reboots.
###############################################################
Stopping ISE application before upgrade...
Running ISE Database upgrade...
Upgrading ISE Database schema...
ISE Database schema upgrade completed.
Running ISE Global data upgrade as this node is a STANDALONE...
Running ISE data upgrade for node specific data...
 
   
This application Install or Upgrade requires reboot, rebooting now...
 
   

Step 3 When the reboot process completes, you are prompted log in with your login credentials and asked immediately to provide new Cisco ISE internal database administrator and user passwords. (This part of the process is only successful if the user account you are using to log in has administrator level access privileges.)

login: admin
password:
% NOTICE: ISE upgrade requires you to change the database administrator and user 
passwords, before you can start the application.
Enter new database admin password: 
Confirm new database admin password:  
Enter new database user password: 
Confirm new database user password:  
Starting database to update password...
 
   
Starting database to update password...
ISE Database processes already running, PID: 3323
Starting ISE Monitoring & Troubleshooting Session Database...
Starting ISE Application Server...
Starting ISE Monitoring & Troubleshooting Alert Process...
Starting ISE Monitoring & Troubleshooting Log Collector...
Starting ISE Monitoring & Troubleshooting Log Processor...
Note: ISE Processes are initializing. Use 'show application status ise'
      CLI to verify all processes are in running state. 
 
   

If there is any failure during an upgrade of application binaries and ADE-OS, you can only remove and reinstall the previous version of the application bundle and restore the backup.

See Recovering from Upgrade Failures for details on how to recover from upgrade failures.


Upgrading Cisco ISE in a Distributed Deployment

In a Cisco ISE distributed deployment, you can execute the application upgrade command from the CLI on all the nodes, one by one, starting from the Primary Administration ISE node.

Make sure you have the license file for your Primary Administration ISE node before beginning the upgrade process. If you do not have the file on hand (if your license was installed by a Cisco partner vendor, for example) contact Cisco TAC for assistance.


Caution While you are performing this process, ensure that all of the Secondary nodes are up and running before upgrading the Primary node. Any Secondary nodes that are down during this process may experience problems requiring you to perform recovery steps in Recovering from Upgrade Failures.

To upgrade Cisco ISE in a distributed deployment:


Step 1 Perform an on-demand backup (manually) of the Primary Administration ISE node from the admin user interface or CLI and an on-demand backup of the Monitoring node from the admin user interface before upgrading Cisco ISE.

For more information on how perform on-demand backup, see the "On-Demand Backup" section of the Cisco Identity Services Engine User Guide, Release 1.0.4.

Step 2 Execute the application upgrade command from the CLI on the Primary Administration ISE node. This is the same as required for upgrading Cisco ISE on a standalone node except that the replication is unscheduled on all the secondary nodes from the Primary node.

Step 3 Check the application status on the Primary node by using the show application status command from the CLI after an upgrade.

If there is any failure on the Primary node, you must review the upgrade for failure and rollback before attempting the upgrade process again. See Recovering from Upgrade Failures for details on how to recover from upgrade failures.

Step 4 Proceed to the Cisco ISE SECONDARY node only if the upgrade is successful on the Primary. In case the Primary upgrade fails, Cisco recommends investigating possible reasons for the failure and rolling back your installation before attempting the upgrade process again.

Step 5 Execute the application upgrade process on any other SECONDARY node in the deployment. In addition to the steps already outlined in Upgrading Cisco ISE on a Standalone Node, this performs the following actions:

Reschedules replication

Refreshes the upgraded data model from the Primary node, instead of upgrading it directly in the secondary node

In a distributed deployment, if there are two Monitoring ISE nodes, of which one is in the active state and the other is in the standby state, the replication is turned off when upgrading any one of the Monitoring ISE nodes. Once the upgrade is complete on the other Monitoring ISE node, the replication is again turned on.


Caution After upgrading the Primary node, be sure you are able to complete the upgrade process for all of the Secondary nodes in your deployment within six hours. Any Secondary nodes that you are not able to upgrade within six hours may experience problems requiring you to perform recovery steps in Recovering from Upgrade Failures.

The CLI transcript for a successful upgrade on a secondary node should look like the following:

pmbudev-vm29/admin# application upgrade ise-appbundle-1.0.4.573.i386.tar.gz disk
Save the current ADE-OS running configuration? (yes/no) [yes] ? 
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
Stopping ISE application before upgrade...
Running ISE Database upgrade...
Upgrading ISE Database schema...
ISE Database schema upgrade completed.
Waiting for global data replication from PRIMARY to finish...
Running ISE data upgrade for node specific data...
% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes.
 
   

Step 6 Repeat Step 4 for each SECONDARY node in your deployment.


If your Cisco ISE deployment includes Monitoring and Troubleshooting high availability pair (Primary and Secondary) and you upgrade Cisco ISE, Release 1.0 or Cisco ISE Maintenance Release 1.0.4.558 to the latest Cisco ISE Maintenance Release 1.0.4.573 on an active or standby Monitoring ISE node, ensure that the other Monitoring ISE node (Primary/Secondary) is up and running.

This is required because during the Monitoring and Troubleshooting database schema upgrade, the Monitoring and Troubleshooting configuration replication is disabled momentarily and enabled again.

If the other Monitoring ISE node is not running, the upgrade will complete successfully without enabling the Monitoring and Troubleshooting replication. This is indicated by a warning message:

WARNING: Error enabling M&T replication, Please deregister & register the M&T nodes in the deployment.

To enable the Monitoring and Troubleshooting replication again, you should deregister and register the Monitoring nodes in the deployment.


Note The above warning message is only shown if the upgrade is performed through the console or SSH. You will not see this warning message if the upgrade command is issued through the serial console. You can verify whether the above warning message has appeared using the show logging system command, or checking the ADE.log from the support bundle.


Replacing Cisco ISE Appliance Running ISE 1.0 Software with Cisco ISE Appliance Running Cisco ISE Maintenance Release 1.0.4


Note If you want to replace a Cisco ISE appliance running Cisco Identity Services Engine Maintenance Release 1.0.4.558 with a new Cisco ISE running Cisco Identity Services Engine Maintenance Release 1.0.4.573, you must upgrade the appliance running version 1.0.4.558 to 1.0.4.573 before creating a database backup image, which you can then restore on the new appliance running version 1.0.4.573.


This section contains the following:

Replacing Cisco ISE Standalone Appliance Running ISE 1.0 Software with a Cisco ISE Appliance Running Cisco ISE Maintenance Release 1.0.4

Replacing a Subset of Cisco ISE 1.0 Nodes with Cisco ISE Appliances Running Maintenance Release 1.0.4 in a Distributed Deployment

Replacing All Cisco ISE Appliances Running ISE 1.0 Software with Cisco ISE Appliances Running Cisco ISE Maintenance Release 1.0.4 in a Distributed Deployment

Replacing Cisco ISE Standalone Appliance Running ISE 1.0 Software with a Cisco ISE Appliance Running Cisco ISE Maintenance Release 1.0.4

This upgrade scenario would only be required if you are upgrading your Cisco ISE software from release 1.0 to maintenance release 1.0.4 at the same time as you are replacing your existing Cisco ISE chassis.

If you are using the same physical appliance or VM, it is recommended you use Performing an Application Upgrade from the CLI, instead of backup restore. You have to upgrade the appliance to the next release before restoring data of the previous release of Cisco ISE

To replace a Cisco ISE standalone appliance running the Cisco ISE 1.0 software release with a Cisco ISE appliance running Cisco ISE Maintenance Release 1.0.4, complete the following steps:


Step 1 Backup the Cisco ISE, Release 1.0 appliance.

Step 2 Start up and configure the new appliance running Cisco ISE Maintenance Release 1.0.4.

Step 3 Restore the Cisco ISE, Release 1.0 backup image on the new appliance.

For more information on how to perform a backup and restore, see Cisco Identity Services Engine User Guide, Release 1.0.4, Chapter 14 "Backing Up and Restoring Cisco ISE Data".


After you restore data, you must wait until all the application server processes are up and running.

To verify that the Cisco ISE application server processes are running, enter the following command from the Cisco ISE CLI:

show application status ise

For more information on the CLI commands, see the Cisco Identity Services Engine CLI Reference Guide, Release 1.0.4.

Replacing a Subset of Cisco ISE 1.0 Nodes with Cisco ISE Appliances Running Maintenance Release 1.0.4 in a Distributed Deployment

To replace a subset of Cisco ISE 1.0 nodes with Cisco ISE appliances running Cisco ISE Maintenance Release 1.0.4 in a distributed deployment, complete the following steps:


Step 1 Perform an application upgrade to Cisco ISE Maintenance Release 1.0.4 on each node in the existing deployment. See Performing an Application Upgrade from the CLI.

Step 2 Deregister and register the new appliances running Cisco ISE Maintenance Release 1.0.4 into the deployment.

In this case the Primary Administration ISE node remains on the original hardware. You can promote one of the newer appliances running Cisco ISE Maintenance Release 1.0.4 to be the new Primary Administration ISE node.


Replacing All Cisco ISE Appliances Running ISE 1.0 Software with Cisco ISE Appliances Running Cisco ISE Maintenance Release 1.0.4 in a Distributed Deployment

To replace all Cisco ISE appliances running ISE 1.0 software with Cisco ISE appliances running Cisco ISE Maintenance Release 1.0.4 in a distributed deployment, complete the following steps:


Step 1 Perform an application upgrade to Cisco ISE Maintenance Release 1.0.4 on each node in the existing deployment. See Performing an Application Upgrade from the CLI.

Step 2 Deregister a secondary appliance and register to the first Cisco ISE appliance running Cisco ISE Maintenance Release 1.0.4.

Step 3 Repeat Step 2 for the remaining secondary nodes that you want to move from the Cisco ISE, Release 1.0 hardware deployment to the Cisco ISE Maintenance Release 1.0.4 hardware deployment.

Step 4 Promote one of the new appliances running Cisco ISE Maintenance Release 1.0.4 to be the new Primary Administration ISE node.

Step 5 Deregister the last Cisco ISE, Release 1.0 appliance and register to the last appliance running Cisco ISE Maintenance Release 1.0.4 to the deployment.


Recovering from Upgrade Failures

This section describes the following:

Recovering from Upgrade Failures on a Standalone or Primary Node

Recovering from Upgrade Failures on a Secondary Node

Recovering from Upgrade Failures on a Standalone or Primary Node

Before attempting any rollback or recovery on the node where upgrade has failed, you must generate an application bundle using the backup-logs CLI command and place it in a remote repository.

Scenario 1: Upgrade failed during DB schema/datamodel upgrade

Detection: One of the following message is shown in the console and ADE.log:

ISE Database schema upgrade failed!

ISE Global data upgrade failed!

ISE data upgrade for node specific data failed!

How to Rollback: Restore from the last backup to rollback.

How to proceed with upgrade again: Logs need to be analyzed. You have to provide the application bundle that you generated to the Cisco TAC for identifying and resolving the issue. Retrying the upgrade procedure will require a new appbundle in such cases.

Scenario 2: Upgrade failed during binary install

Detection: Application binary upgrade happens after the database upgrade. If a binary upgrade failure has happened following message will be shown in the console and ADE.log:

% Application install/upgrade failed with system removing the corrupted install

How to Rollback: Reimage the Cisco ISE appliance using the previous ISO image and restore from backup.

How to proceed with upgrade again: Logs need to be analyzed. You have to provide the application bundle that you generated to the Cisco TAC for identifying and resolving the issue. Retrying the upgrade procedure will require a new appbundle in such cases.

Recovering from Upgrade Failures on a Secondary Node

Before attempting any rollback or recovery on the node where upgrade has failed, you must generate an application bundle using the backup-logs CLI command and place it in a remote repository.

Scenario 1: Upgrade failed during dbschema/datamodel upgrade.

Detection: One of the following messages will be shown in the console and ADE.log

ISE Database schema upgrade failed!

Error while waiting for replication from PRIMARY to finish!

ISE data upgrade for node specific data failed!

How to Rollback: Rollback is not required as the Primary node is already upgraded and you cannot rollback the secondary node alone.

How to proceed with upgrade again:

1. De-register the failed node from the Primary node.

2. Enter application reset-config on the secondary node which failed, so that it is converted to a Standalone node.

3. If this is a Monitoring Active or Standby node, restore the Monitoring data on this node from the full backup taken before upgrade.

4. Upgrade the node which is a standalone now using the application bundle.

5. Register the node back with the previous role to the Primary.

Scenario 2: Upgrade failed during binary install

Detection: Application binary upgrade happens after the database upgrade. If a binary upgrade failure has happened following message will be shown in the console and ADE.log:

% Application install/upgrade failed with system removing the corrupted install

How to Rollback: Rollback is not required as the Primary node is already upgraded and you cannot rollback the secondary node alone.

How to proceed with upgrade again:

1. De-register the failed node from PAP

2. Reimage the secondary node using the previous ISO image.

3. If this is a Monitoring Active or Standby node, restore the Monitoring data on this node from the backup taken before upgrade.

4. Upgrade the node which is a standalone now using the application bundle.

5. Register the node back with the previous role to the Primary.