These guidelines help you address issues in your current deployment during the upgrade process, which reduces overall downtime.

• Upgrade to the latest patch in the existing version before starting the upgrade.

  Note

  If you are upgrading from Cisco ISE release 2.6 patch 10 and later or 2.7 Patch 4 and laterrelease and have an SSM On-Prem server configured, you must disconnect the SSM On-Prem server before you begin the upgrade process. If you are upgrading from earlier releases and have an SSM On-Prem server configured, you must disconnect the SSM On-Prem server before you begin the upgrade process.

• We recommend that you test the upgrade in a staging environment to identify and address any issues without impacting the live system.

  • All the nodes in the Cisco ISE deployment should be in the same patch level in order to exchange data.

    Note

    If all the nodes in your deployment are not on the same Cisco ISE version and patch version, you will get a warning message: Upgrade cannot begin . This message indicates that the upgrade is in a blocked state. Ensure that all nodes are in the same version (including any patch versions) before you begin the upgrade.

  • Based on the number of PSNs in your deployment and availability of personnel, you can install the final version of Cisco ISE you need to upgrade to, apply latest patch, and keep it ready.

  • In case you want to retain the MnT logs, complete the tasks for MnT nodes and join them to the new deployment as MnT nodes. However, if you do not need to retain the operational logs, you can skip the step by re-imaging the MnT nodes.

  • Cisco ISE installation can be done in parallel if you have multi-node deployment without impact to the production deployment. Installing ISE servers in parallel saves time especially when you are using backup and restore from a previous release.

  • PSN can be added to the new deployment to download the existing policies during the registration process from the PAN. Use ISE latency and bandwidth calculator to understand the latency and bandwidth requirement in Cisco ISE deployment.

  • It is a best practice to archive the old logs and not transit them to the new deployments. This is because operational logs restored in the MnTs are not synchronized to different nodes in case you change the MnT roles later.

  • If you have two data centers with full distributed deployment, first upgrade the backup data center. Then test the use cases before upgrading the primary data center.

• Download and store the upgrade software in a local repository before upgrade to speed up the process.

• If you are currently upgrading to Cisco ISE, release 3.0 or later, you can either use Health Check or Upgrade Readiness Tool (URT) to run system diagnosis before you initiate the upgrade process.

• If you are currently upgrading to a recent Cisco ISE release, you can either use Health Check or Upgrade Readiness Tool (URT) to run system diagnosis before you initiate the upgrade process.

• Use the Upgrade Readiness Tool (URT) to detect and fix any configuration data upgrade issues before you start the upgrade process. Most upgrade failures occur due to configuration data issues during the upgrade. The URT validates the data to identify issues before the upgrade and fixes or reports them whenever possible. The URT is available as a separate downloadable bundle that can be run on a Secondary Policy Administration node or standalone node. There is no downtime to run this tool. This video explains how to use the URT: https://video.cisco.com/detail/video/5797832452001.

  Warning

  Do not run the URT on the Primary Policy Administration Node. The URT tool does not simulate MnT operational data upgrades.

• Note that when upgrading Cisco ISE using the GUI, the timeout for the process per node is four hours. If the process takes longer, you must restart it. If upgrading with the Upgrade Readiness Tool (URT) will take you more than four hours, Cisco recommends that you use CLI for this process.

• Back up the load balancers before changing the configuration. You can remove the PSNs from the load balancers during the upgrade window and add them back after the upgrade.

• Disable automatic PAN Failover (if configured) and disable Heartbeat between PANs during the upgrade.

• Review the existing policies and eliminate any outdated or redundant rules.

• Remove unwanted monitoring logs and endpoint data.

• You can take a backup of configuration and operations logs and restore it on a temporary server that is not connected to the network. You can use a remote logging target during the upgrade window.

  You can use these options after the upgrade to reduce the number of logs that are sent to MnT nodes and improve the performance:

  • Use the MnT collection filters (To view this window, click the Menu icon () and choose Administration > System > Logging > Collection Filters) to filter incoming logs and avoid duplication of entries in AAA logs.

  • You can create Remote Logging Targets (To view this window, click the Menu icon () and choose Administration > System > Logging > Remote Logging Targets) and route each individual logging category to specific Logging Target (To view this window, click the Menu icon () and choose System > Logging > Logging categories.

  • Enable the Ignore Repeated Updates options. To view this window, click the Menu icon () and choose Administration > System > Settings > Protocols > RADIUS window to avoid repeated accounting updates.

• Download and use the latest upgrade bundle for upgrade. Use this query in the Bug Search Tool to find the upgrade related defects that are open and fixed: http://cs.co/ise-upgrade-bugsearch

• Test all the use cases for the new deployment with fewer users to ensure service continuity.

Cisco ISE comes with several predefined authorization compound conditions. If you have an authorization simple condition in your old deployment that shares a name with a predefined authorization compound condition, the upgrade process fails. Before upgrading, rename your authorization simple condition to avoid using a predefined compound condition name.

• Compliance_Unknown_Devices

• Non_Compliant_Devices

• Compliant_Devices

• Non_Cisco_Profiled_Phones

• Switch_Local_Web_Authentication

• Catalyst_Switch_Local_Web_Authentication

• Wireless_Access

• BYOD_is_Registered

• EAP-MSCHAPv2

• EAP-TLS

• Guest_Flow

• MAC_in_SAN

• Network_Access_Authentication_Passed

If you are upgrading Cisco ISE nodes on virtual machines, change the Guest Operating System to Red Hat Enterprise Linux (RHEL) 7. Power down the VM, change the Guest Operating System to RHEL 7, and then power on the VM.

RHEL 7 supports only E1000 and VMXNET3 network adapters. Change the network adapter type before you upgrade.

If your sponsor groups include non-ASCII characters and were created before Cisco ISE Release 2.2, rename your sponsor groups to use only ASCII characters before you upgrade.

Cisco ISE does not support non-ASCII characters in sponsor group names.

If you have a firewall deployed between your Primary Administration Node (PAN) and any other node, you must open these ports before upgrading:

• TCP 1521: For communication between the PAN and monitoring nodes.

• TCP 443: For communication between the PAN and all other secondary nodes.

• TCP 12001: For global cluster replication.

• TCP 7800 and 7802: Required for Policy Service Node (PSN) group clustering when policy service nodes are part of a node group.

For a full list of ports that Cisco ISE uses, see the chapter "Cisco ISE Ports Reference" in the Cisco ISE Installation Guide.

Obtain a backup of the Cisco ISE configuration and operational data from either the Command Line Interface (CLI) or the GUI. To back up the configuration and operational data using the CLI, enter this command:

backup backup-name repository repository-name {ise-config | ise-operational} encryption-key {hash | plain} encryption-keyname

Note

When Cisco ISE runs on VMware, VMware snapshots are not supported for backing up ISE data. A VMware snapshot saves the status of a VM at a specific point in time. In a multi-node Cisco ISE deployment, all nodes continuously synchronize data with the current database. Restoring a snapshot might cause database replication and synchronization issues. Use the Cisco ISE backup functionality for data archival and restoration. If you use VMware snapshots to back up Cisco ISE data, Cisco ISE services stop. To restore the ISE node, reboot it.

You can also obtain the configuration and operational data backup from the Cisco ISE Admin Portal. Ensure that you have created repositories that store the backup file. Do not use a local repository to back up data. You cannot back up the monitoring data in the local repository of a Remote Monitoring node. Do not use CD-ROM, HTTP, HTTPS, or TFTP repositories, because they are read-only or do not support file listing.

1. Choose Administration > Maintenance > Backup and Restore.

2. In the Cisco ISE GUI, click the Menu icon () and choose Administration > Maintenance > Backup and Restore.

3. Click Backup Now.

4. Enter the values as required to perform a backup.

5. Click OK.

6. Verify that the backup completed successfully.

   Wait for the backup to finish before changing or promoting node roles. Changing node roles during backup shuts down all processes and may cause data inconsistencies.

After backup, verify the backup file exists in the specified repository. Cisco ISE appends the backup filename with a timestamp, and adds a CFG tag for configuration backups and an OPS tag for operational backups.

Note

Cisco ISE allows you to obtain a backup from an ISE node (A) and restore it on another ISE node (B), both having the same hostnames (but different IP addresses). However, after you restore the backup on node B, do not change the hostname of node B because it might cause issues with certificates and portal group tags.

Obtain a backup of the system logs from the PAN using the Command Line Interface (CLI). Use this CLI command:

backup-logs backup-name repository repository-name encryption-key { hash | plain} encryption-key name

If any certificate in the Cisco ISE Trusted Certificates or System Certificates store has expired, the upgrade fails. Ensure that you check the validity in the Expiration Date field of the Trusted Certificates and System Certificates windows (To view this window, click the Menu icon () and choose Administration > System > Certificates > Certificate Management), and renew them before you upgrade.

Check the validity in the Expiration Date field of the certificates in the CA Certificates window (To view this window, click the Menu icon () and choose Administration > System > Certificates > Certificate Authority > Certificate Authority Certificates). Renew any expired certificates before you upgrade.

You cannot perform deployment changes when running a backup in Cisco ISE. Disable automatic configurations to ensure your upgrade goes smoothly. You should disable these configurations before you upgrade Cisco ISE:

• PAN Automatic Failover: Disable this option in the PAN before upgrading Cisco ISE.

• Scheduled backups: Disable all backup schedules before upgrading. After the upgrade, reschedule and recreate the backup schedules.

  Backups scheduled to run once are triggered every time the Cisco ISE application restarts. If you have a backup schedule set to run only once, disable it before upgrading.

During upgrade, the Cisco ISE nodes reboot, migrate, and replicate data from the PAN to the secondary administration node. For these operations, it is important that the NTP server in your network is configured correctly and is reachable. If the NTP server is not set up correctly or is unreachable, the upgrade process fails.

Ensure that the NTP servers in your network are reachable, responsive, and synchronized throughout the upgrade process.

Earlier versions of Cisco ISE use chrony instead of the Network Time Protocol daemon (ntpd). Ntpd synchronizes with servers having a root dispersion up to 10 seconds, whereas chrony synchronizes with servers having a root dispersion of less than 3 seconds. Therefore, we recommend that you use an NTP server with low root dispersion before upgrading to required Cisco ISE version to avoid NTP service disruption. For more information, see Troubleshoot ISE and NTP Server Synchronization Failures on Microsoft Windows.

If you use Active Directory as your external identity source, make sure you have your Active Directory credentials and a valid internal administrator account ready. After the upgrade, your Active Directory connection might be lost. If that happens, use your Cisco ISE internal administrator account to log in to the Admin portal and use your Active Directory credentials to rejoin Cisco ISE to Active Directory.

If you use the MDM feature, ensure that the MDM vendor status is active before upgrading.

If an MDM server name is used in an authorization policy and the corresponding MDM server is disabled, the upgrade process fails. As a workaround, you can do one of these:

1. Enable the MDM server before upgrade.

2. Delete the condition that uses the MDM server name attribute from the authorization policy.

Create a repository to obtain backups and copy the upgrade bundle. For information on how to create a repository, see “Create Repositories” in the chapter “Maintain and Monitor” in the Cisco ISE Administrator Guide.

Use FTP for faster performance and reliability. Choose a local repository near your nodes instead of one on a slow WAN link.

Ensure your Internet connection to the repository is stable and reliable.

Note	If downloading the upgrade bundle from the repository to the node takes more than 35 minutes, the process times out. Poor Internet bandwidth causes this issue.

Place the upgrade bundle on the local disk to save time during the upgrade process. You can also use the application upgrade prepare <upgrade bundle name> <repository name> command to copy and extract the upgrade bundle on the local disk.

Note

Ensure your connection to the repository is fast and stable. If the upgrade bundle (about 9GB) takes more than 35 minutes to download to the node, the process will time out. If you store configuration files on a local disk, these files are deleted during the upgrade. Create a Cisco ISE repository and copy them to the repository to keep your files.

Download the upgrade bundle from Cisco.com.

To upgrade to Cisco ISE release 3.2, use this upgrade bundle: ise-upgradebundle-2.x-to-3.2.0.xxx.SPA.x86_64.tar.gz

To perform the upgrade, copy the upgrade bundle to the Cisco ISE node local disk using this command:

copy repository_url/path/ise-upgradebundle-2.x-to-3.2.0.xxx.SPA.x86_64.tar.gz disk:/

For example, if you want to use SFTP to copy the upgrade bundle, you can do this:

1. (Add the host key if it does not exist) crypto host_key add host mySftpserver

2. copy sftp://aaa.bbb.ccc.ddd/ise-upgradebundle-2.x-to-3.2.0.xxx.SPA.x86_64.tar.gz disk:/

   aaa.bbb.ccc.ddd is the IP address or hostname of the SFTP server and ise-upgradebundle-2.x-to-3.2.0.xxx.SPA.x86_64.tar.gz is the name of the upgrade bundle.

If you use a load balancer between the PAN and the Policy Service node (PSN), set the session timeout on the load balancer high enough so it does not disrupt the upgrade process. A session timeout that is too short can interrupt the upgrade on PSNs. For instance, if a session ends during a database transfer from the PAN to a PSN, the upgrade on the PSN fails.