Prepare for Upgrade
Before you start the upgrade process, ensure that you perform the following tasks:
Note |
In a multinode deployment with Primary and Secondary PANs, monitoring dashboards and reports might fail after upgrade because of a caveat in the data replication. See CSCvd79546 for details. As a workaround, perform a manual synchronization from the Primary PAN to the Secondary PAN before initiating upgrade. |
Note |
If you are currently on Release 2.0.1 on an SNS-3415 appliance, you cannot upgrade to Release 2.1 because of an exception. See CSCva96507 for details. As a workaround, reimage the SNS-3415 appliance, perform a fresh installation of Cisco ISE, Release 2.1, and restore the backup from Release 2.0.1. |
Apply Latest Patch to Your Current Cisco ISE Version Before Upgrade
Due to the following known issues, we recommend that you apply the latest patch to your current Cisco ISE version before upgrade:
Change VMware Virtual Machine Guest Operating System and Settings
If you are upgrading Cisco ISE nodes on virtual machines, ensure that you change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. To do this, you must power down the VM, change the Guest Operating System to RHEL 7, and power on the VM after the change. RHEL 7 supports only E1000 and VMXNET3 network adapters. Be sure to change the network adapter type before you upgrade.
Remove Non-English Characters From Sponsor Group Names
Prior to release 2.2, if you have created sponsor groups with non-English characters, before upgrade, be sure to rename the sponsor groups and use only English characters.
Cisco ISE, Release 2.2 and later does not support non-English characters in sponsor group names.
Firewall Ports that Must be Open for Communication
If you have a firewall that is deployed between your primary Administration node and any other node, the following ports must be open before you upgrade:
-
TCP 1521—For communication between the primary administration node and monitoring nodes.
-
TCP 443—For communication between the primary administration node and all other secondary nodes.
-
TCP 12001—For global cluster replication.
-
TCP 7800 and 7802—(Applicable only if the policy service nodes are part of a node group) For PSN group clustering.
For a full list of ports that Cisco ISE uses, see the Cisco Identity Services Engine Hardware Installation Guide.
For a full list of ports that Cisco ISE uses, see the Cisco ISE Ports Reference.
Back Up Cisco ISE Configuration and Operational Data from the Primary Administration Node
Obtain a backup of the Cisco ISE configuration and operational data from the Command Line Interface (CLI) or the GUI. The CLI command is:
backup backup-name repository repository-name {ise-config | ise-operational } encryption-key {hash | plain } encryption-keyname
Note |
When Cisco ISE runs on VMware, VMware snapshots are not supported for backing up ISE data. VMware snapshot saves the status of a VM at a given point of time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with the current database information. Restoring a snapshot might cause database replication and synchronization issues. Cisco recommends that you use the backup functionality included in Cisco ISE for archival and restoration of data. Using VMware snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node. |
You can also obtain the configuration and operational data backup from the Cisco ISE Admin Portal. Ensure that you have created repositories for storing the backup file. Do not back up using a local repository. You cannot back up the monitoring data in the local repository of a Remote Monitoring node. The following repository types are not supported: CD-ROM, HTTP, HTTPS, or TFTP. This is because these repository types are all either read-only or their protocol does not support the file listing.
-
Choose Administration > Maintenance > Backup and Restore.
-
Click Backup Now.
-
Enter the values as required to perform a backup.
-
Click OK.
-
Verify that the backup completed successfully.
Cisco ISE appends the backup filename with a timestamp and stores the file in the specified repository. In addition to the timestamp, Cisco ISE adds a CFG tag for configuration backups and OPS tag for operational backups. Ensure that the backup file exists in the specified repository.
In a distributed deployment, do not change the role of a node or promote a node when the backup is running. Changing node roles will shut down all the processes and might cause some inconsistency in data if a backup is running concurrently. Wait for the backup to complete before you make any node role changes.
Note |
Cisco ISE allows you to obtain a backup from an ISE node (A) and restore it on another ISE node (B), both having the same hostnames (but different IP addresses). However, after you restore the backup on node B, do not change the hostname of node B because it might cause issues with certificates and portal group tags. |
Back Up System Logs from the Primary Administration Node
Obtain a backup of the system logs from the Primary Administration Node from the Command Line Interface (CLI). The CLI command is:
backup-logs backup-name repository repository-name encryption-key { hash | plain } encryption-key name
Check Certificate Validity
The upgrade process fails if any certificate in the Cisco ISE Trusted Certificates or System Certificates store has expired. Ensure that you check the validity in the Expiration Date field of the Trusted Certificates and System Certificates windows (Administration > System > Certificates > Certificate Management), and renew them, if necessary, before upgrade.
Also check the validity in the Expiration Date field of the certificates in the CA Certificates window (Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates), and renew them, if necessary, before upgrade.
Delete a Certificate
In order to delete an expired certificate, perform the following steps:
Procedure
Step 1 |
Choose Administration > System > Certificates > Certificate Management > System Certificates. |
Step 2 |
Select the expired certificate. |
Step 3 |
Click Delete. |
Step 4 |
Choose Administration > System > Certificates > Certificate Management > Trusted Certificates. |
Step 5 |
Select the expired certificate. |
Step 6 |
Click Delete. |
Step 7 |
Choose Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates. |
Step 8 |
Select the expired certificate. |
Step 9 |
Click Delete. |
Export Certificates and Private Keys
We recommend that you export:
-
All local certificates (from all the nodes in your deployment) along with their private keys to a secure location. Record the certificate configuration (what service the certificate was used for).
Procedure
Step 1 |
Choose Administration > System > Certificates > Certificate Management > System Certificates. |
Step 2 |
Select the certificate and click Export. |
Step 3 |
Select Export Certificates and Private Keys radio button. |
Step 4 |
Enter the Private Key Password and Confirm Password. |
Step 5 |
Click Export. |
-
All certificates from the Trusted Certificates Store of the Primary Administration Node. Record the certificate configuration (what service the certificate was used for).
Procedure
Step 1 |
Choose Administration > System > Certificates > Certificate Management > Trusted Certificates. |
Step 2 |
Select the certificate and click Export. |
Step 3 |
Click Save File to export the certificate. |
Step 4 |
Choose Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates. |
Step 5 |
Select the certificate and click Export. |
Step 6 |
Select Export Certificates and Private Keys radio button. |
Step 7 |
Enter the Private Key Password and Confirm Password. |
Step 8 |
Click Export. |
Step 9 |
Click Save File to export the certificate. |
Disable PAN Automatic Failover and Disable Scheduled Backups before Upgrading
You cannot perform deployment changes when running a backup in Cisco ISE. Therefore, you must disable automatic configurations in order to ensure that they do not interfere with the upgrade. Ensure that you disable the following configurations before you upgrade Cisco ISE:
-
Primary Administration Node Automatic Failover—If you have configured the Primary Administration Node for an automatic failover, be sure to disable the automatic failover option before you upgrade Cisco ISE.
-
Scheduled Backups—When planning your deployment upgrade, reschedule the backups after the upgrade. You can choose to disable the backup schedules and recreate them after the upgrade.
Backups with a schedule frequency of once get triggered every time the Cisco ISE application is restarted. Hence, if you have a backup schedule that was configured to run only a single time, be sure to disable it before upgrade.
Configure NTP Server and Verify Availability
During upgrade, the Cisco ISE nodes reboot, migrate, and replicate data from the primary administration node to the secondary administration node. For these operations, it is important that the NTP server in your network is configured correctly and is reachable. If the NTP server is not set up correctly or is unreachable, the upgrade process fails.
Ensure that the NTP servers in your network are reachable, responsive, and synchronized during upgrade.
Record Profiler Configuration
If you use the Profiler service, ensure that you record the profiler configuration for each of your Policy Service nodes from the Admin portal (Administration > System > Deployment > <node> > Profiling Configuration). You can make a note of the configuration or obtain screen shots.
Obtain Active Directory and Internal Administrator Account Credentials
If you use Active Directory as your external identity source, ensure that you have the Active Directory credentials and a valid internal administrator account credentials on hand. After upgrade, you might lose Active Directory connections. If this happens, you need the ISE internal administrator account to log in to the Admin portal and Active Directory credentials to rejoin Cisco ISE with Active Directory.
Activate MDM Vendor Before Upgrade
If you use the MDM feature, then before upgrade, ensure that the MDM vendor status is active.
Otherwise, the existing authorization profiles for the MDM redirect are not updated with the MDM vendor details. After upgrade, you must manually update these profiles with an active vendor and the users will go through the onboarding flow again.
Create Repository and Copy the Upgrade Bundle
Create a repository to obtain backups and copy the upgrade bundle. We recommend that you use FTP for better performance and reliability. Do not use repositories that are located across slow WAN links. We recommend that you use a local repository that is closer to the nodes.
Download the upgrade bundle from Cisco.com.
To upgrade to Release 2.2, there are three upgrade bundles available:
-
ise-upgradebundle-1.4.x-to-2.2.0.x.x86_64.tar.gz—Use this bundle to upgrade from Release 1.4 to 2.2
-
ise-upgradebundle-2.0.x-to-2.2.0.x.x86_64.tar.gz—Use this bundle to upgrade from Release 2.0 or 2.0.1 to 2.2
-
ise-upgradebundle-2.2.0.x.x86_64.tar.gz—Use this bundle to upgrade from Release 2.1 to 2.2
For upgrade, you can copy the upgrade bundle to the Cisco ISE node's local disk using the following command:
copy repository_url/path/ise-upgradebundle-1.4.x-to-2.2.0.x.x86_64.tar.gz disk:/
For example, if you want to use SFTP to copy the upgrade bundle, you can do the following:
-
(Add the host key if it does not exist) crypto host_key add host mySftpserver
-
copy sftp:// aaa.bbb.ccc.ddd/ise-upgradebundle-1.4.x-to-2.2.0.x.x86_64.tar.gz disk:/
aaa.bbb.ccc.ddd is the IP address or hostname of the SFTP server and ise-upgradebundle-1.4.x-to-2.2.0.x.x86_64.tar.gz is the name of the upgrade bundle.
Having the upgrade bundle in the local disk saves time during upgrade. Alternatively, you can use the application upgrade prepare command to copy the upgrade bundle to the local disk and extract it.
Note |
|
Check the Available Disk Size
Ensure that you have allocated the required disk space for virtual machines. See Cisco ISE Installation Guide for more details. If you need to increase the disk size, you will need to reinstall ISE and restore a config backup.
Check Load Balancer Configuration
If you are using any load balancer between the Primary Administration Node (PAN) and the Policy Service node (PSN), ensure that the session timeout that is configured on the load balancer does not affect the upgrade process. If the session timeout is set to a lower value, it might affect the upgrade process on the PSNs located behind the load balancer. For example, if a session times out during the database dump from PAN to a PSN, the upgrade process may fail on the PSN.