Upgrade Sequence of the Nodes
You can upgrade Cisco ISE using GUI, Backup and Restore, or CLI. In case you are using GUI to upgrade you can choose the order of nodes to be upgraded. However, we recommend that you follow the below provided order of the nodes for upgarding your deployment. This will help you to reduce downtime while providing maximum resiliency and ability to roll back.
-
Backup all configuration and monitoring data. This task should be done before initiating upgrade in order to ensure that you can easily roll back manually, if necessary.
-
Secondary Administration Node
At this point, the Primary Administration Node remains at the previous version and can be used for rollback if the upgrade fails.
-
Primary Monitoring Node or Secondary Monitoring Node
If you have a distributed deployment, upgrade all the nodes that are available in the site that has Secondary Administration Node of your existing Cisco ISE deployment.
-
Secondary Monitoring Node or Primary Monitoring Node
-
Policy Service Nodes
After you upgrade a set of Policy Service nodes, verify whether the upgrade is successful (see Verify the Upgrade Process) and run the necessary network tests to ensure that the new deployment is functioning as expected. If the upgrade is successful, you can upgrade the next set of Policy Service nodes.
-
Primary Administration Node
Rerun the upgrade verification and network tests after you upgrade the Primary Administration Node.
Note
If upgrade fails during the registration of the Primary Administration node (the last node from the old deployment that has to be upgraded), the upgrade is rolled back and the node becomes a standalone node. From the CLI, upgrade the node as a standalone node. Register the node to the new deployment as a Secondary Administration node.
After the upgrade, the Secondary Administration Node becomes the Primary Administration Node, and the original Primary Administration Node becomes the Secondary Administration Node. In the Edit Node window, click Promote to Primary to promote the Secondary Administration Node as the Primary Administration Node (as in your old deployment), if necessary.
If the Administration Nodes also assume the Monitoring persona, then follow the sequence given in the table below:
Node Personas In The Current Deployment |
Upgrade Sequence |
---|---|
Secondary Administration/Primary Monitoring Node, Policy Service Nodes, Primary Administration/Secondary Monitoring Node |
|
Secondary Administration/Secondary Monitoring Node, Policy Service Nodes, Primary Administration/Primary Monitoring Node |
|
Secondary Administration Node, Primary Monitoring Node, Policy Service Nodes, Primary Administration/Secondary Monitoring Node |
|
Secondary Administration Node, Secondary Monitoring Node, Policy Service Nodes, Primary Administration/Primary Monitoring Node |
|
Secondary Administration/Primary Monitoring Node, Policy Service Nodes, Secondary Monitoring Node, Primary Administration Node |
|
Secondary Administration/Secondary Monitoring Node, Policy Service Nodes, Primary Monitoring Node, Primary Administration Node |
|
You will get a error message No Secondary Administration Node in the Deployment under the following circumstances:
-
There is no Secondary Administration node in the deployment.
-
The Secondary Administration node is down.
-
The Secondary Administration node is upgraded and moved to the upgraded deployment. Typically, this occurs when you use the Refresh Deployment Details option after the Secondary Administration node is upgraded.
To resolve this issue, perform one of the tasks, as applicable:
-
If the deployment does not have a Secondary Administration node, configure a Secondary Administration node and retry upgrade.
-
If the Secondary Administration node is down, bring up the node and retry upgrade.
-
If the Secondary Administration node is upgraded and moved to the upgraded deployment, use the CLI to manually upgrade the other nodes in the deployment.