Cisco ISE Upgrade Overview
This document describes how to upgrade Cisco Identity Services Engine (ISE) software on Cisco ISE appliances and virtual machines to Release 2.0.1.
Upgrading a Cisco ISE deployment is a multi-step process and must be performed in the order specified in this document. Use the time estimates provided in this document to plan for upgrade with minimum downtime. For a deployment with multiple PSNs that are part of a PSN group, there would be no downtime. If there are endpoints authenticating through a PSN that is being upgraded, the request is processed by another PSN in the node group. The endpoint is re-authenticated and granted network access after successful authentication.
If you have a standalone deployment or a deployment with a single PSN, you might experience a downtime for all authentications when the PSN is being upgraded.
You can directly upgrade to Release 2.0.1, from any of the following releases:
Cisco ISE, Release 1.3
Cisco ISE, Release 1.4
Cisco ISE, Release 2.0
If you are on a version earlier than Cisco ISE, Release 1.3, you must first upgrade to one of the releases listed above and then upgrade to Release 2.0.1.
You can download the upgrade bundle from Cisco.com. There are two upgrade bundles available for Release 2.0.1:
ise-upgradebundle-1.3.x-and-1.4.x-to-184.108.40.206.x86_64.tar.gz—Use this bundle to upgrade from Release 1.3 or 1.4 to 2.0.1.
ise-upgradebuncle-2.0.x-to-220.127.116.11.SPA.x86_64.tar.gz—Use this bundle to upgrade from Release 2.0 to 2.0.1.
This release of Cisco ISE supports both GUI-based as well as CLI-based upgrade.
The GUI-based upgrade from the Admin portal is supported only if you are currently on Release 2.0 and want to upgrade to Release 2.0.1. See Upgrade a Cisco ISE Deployment from the GUI for more information.
From the Cisco ISE CLI, you can upgrade from Release 1.3, 1.4, or 2.0 directly to Release 2.0.1. See Upgrade a Cisco ISE Deployment from the CLI for more information.
Whether you choose UI or CLI for your upgrade, and in order to upgrade your deployment with minimum-possible downtime while providing maximum resiliency and ability to roll back, we recommend that you perform the upgrade in the following order:
Back up all configuratoin and monitoring data before beginning upgrade in order to ensure you can easily roll back manually if necessary.
Secondary Administration Node
At this point, the Primary Administration Node remains at the previous version and can be used for rollback if the upgrade fails.
Primary Monitoring Node
Policy Service Nodes
After you upgrade a set of Policy Service Nodes, verify whether the upgrade is successful (see Verify the Upgrade Process) and run the network tests to ensure that the new deployment is functioning as expected. If the upgrade is successful, you can upgrade the next set of Policy Service Nodes.
Secondary Monitoring Node
Primary Administration Node
Re-run the upgrade verification and network tests after you upgrade the Primary Administration Node.
After the upgrade, the Secondary Administration Node will become the Primary Administration Node, and the original Primary Administration Node will become the Secondary Administration Node. In the Edit Node window, click Promote to Primary to promote the Secondary Administration Node to become the Primary Administration Node (as in your old deployment), if required.