Perform the Upgrade

Upgrade sequence of the nodes

You can upgrade Cisco ISE using the GUI (recommended), the backup and restore feature, or the CLI.

If you use the GUI (recommended) method to upgrade, you can select the order in which nodes are upgraded. Upgrade the nodes in this order to minimize downtime, maximize resiliency, and make rolling back easier.

Complete these tasks before starting the upgrade:

  • Back up all configuration and monitoring data.

  • Export the internal CA key and certificate chain.

  • Back up server certificates for all Cisco ISE nodes.

The upgrade process for nodes occurs in this order:

  1. SAN

    At this point, the PAN remains at the previous version and can be used for rollback if the upgrade fails.

  2. Primary Monitoring Node or Secondary Monitoring Node

    If you have a distributed deployment, upgrade the nodes available in the site with the SAN.

  3. PSNs

    If you are upgrading from an earlier Cisco ISE release to a recent release using the GUI, you can select a group of PSNs to be upgraded simultaneously. This will reduce the overall upgrade downtime.

    After upgrading a set of PSNs, verify the success of the upgrade (see Verify the upgrade process) and run network tests to ensure the new deployment works as expected. If the upgrade is successful, you can upgrade the next set of PSNs.

  4. Secondary Monitoring Node or Primary Monitoring Node

  5. PAN

    After upgrading the PAN, rerun upgrade verification and network tests.


    Note

    If the upgrade fails when registering the PAN, the system initiates a rollback and changes the node to standalone mode. Use the CLI to upgrade the node as a standalone. Then register it to the new deployment as a SAN.

After the upgrade, the SAN becomes the PAN, and the original PAN becomes the SAN. In the Edit Node window, click Promote to Primary to make the SAN the PAN, if needed.

If the administration nodes also have the monitoring persona, use the node sequence shown in this table.

Table 1. Node personas and their upgrade sequence

Node personas in the current deployment

Upgrade sequence

SAN/Primary Monitoring Node, PSN, PAN/Secondary Monitoring Node

  1. SAN/Primary Monitoring Node

  2. PSN

  3. PAN/Secondary Monitoring Node

SAN/Secondary Monitoring Node, PSN, PAN/Primary Monitoring Node

  1. SAN/Secondary Monitoring Node

  2. PSN

  3. PAN/Primary Monitoring Node

SAN, Primary Monitoring Node, PSN, PAN/Secondary Monitoring Node

  1. SAN

  2. Primary Monitoring Node

  3. PSN

  4. PAN/Secondary Monitoring Node

SAN, Secondary Monitoring Node, PSN, PAN/Primary Monitoring Node

  1. SAN

  2. Secondary Monitoring Node

  3. PSN

  4. PAN/Primary Monitoring Node

SAN/Primary Monitoring Node, PSN, Secondary Monitoring Node, PAN

  1. SAN/Primary Monitoring Node

  2. PSN

  3. Secondary Monitoring Node

  4. PAN

SAN/Secondary Monitoring Node, PSNs, Primary Monitoring Node, PAN

  1. SAN/Secondary Monitoring Node

  2. PSN

  3. Primary Monitoring Node

  4. PAN

You will get an error message "No SAN in the Deployment" under these circumstances:

  • There is no SAN in the deployment.

  • The SAN is down.

  • The SAN is upgraded and moved to the upgraded deployment. This occurs when you use the Refresh Deployment Details option after upgrading the SAN.

To resolve this issue, complete one of these tasks:

  • If the deployment does not have a SAN, configure a SAN and retry upgrade.

  • If the SAN is down, bring up the node and retry the upgrade.

  • If the SAN is upgraded and moved to the upgraded deployment, use the CLI to manually upgrade the other nodes in the deployment.

Choose your upgrade method

You can choose an upgrade process based on your technical expertise and the time available for the upgrade. This release of Cisco ISE supports these upgrade processes:

  • Upgrade using the GUI (recommended)

  • Upgrade using backup and restore (limited to Cisco ISE release 3.2 patch 2)

  • Upgrade using the CLI

This table compares Cisco ISE upgrade methods.

Table 2. Cisco ISE upgrade method comparison

Comparison factors

Upgrade using the GUI (recommended)

Upgrade using backup and restore (limited to Cisco ISE release 3.2 patch 2)

Upgrade using the CLI

Process Type

Long

Fast

Longer

Administration required

Less

More

More

Difficulty level

Easy

Hard

Moderate

VMs

Each PSN is upgraded in parallel.

If there is enough capacity, new VMs can be prestaged and joined immediately to the new PAN.

Each PSN is upgraded, however, they can be done in parallel.

Upgrade time

Less (because each PSN is upgraded in parallel).

Least (because PSNs are imaged with new version instead of being upgraded).

Less (because each PSN is upgraded in parallel)

Personnel required

Fewer manual interventions are required because the upgrade process is automated.

Stakeholders from multiple business units transfer configuration settings and operational logs.

Technical expertise on Cisco ISE is required.

Rollback options

Easy

Difficult (requires reimaging of the nodes)

Easy

Upgrade using the GUI (recommended)

Overview

Starting with Cisco ISE release 3.2 patch 3, upgrading through the GUI is the recommended method.

You can also upgrade Cisco ISE from the GUI in a single click with some customizable options. In the Cisco ISE GUI, click the Menu icon () and choose ISE Administration > Upgrade. Create a new repository to download the upgrade bundle.


Note

This method is not supported on cloud platforms such as Oracle Cloud Infrastructure (OCI), Amazon Web Services (AWS), and Azure Cloud Services.

Why upgrade using the GUI (recommended)

This method is recommended if you are upgrading from Cisco ISE release 3.2 patch 3 or later.

Here is why you should upgrade using the GUI (recommended) method:

  • During the upgrade, the Secondary PAN is moved into an upgraded deployment automatically and is upgraded first, followed by Primary MnT. As a result, if either of these upgrades fail, it is mandatory that the node will be rolled back to the previous version and rejoin to the previous Cisco ISE deployment. You can select multiple PSNs in a batch and upgrade them simultaneously.

  • In case of an upgrade failure, you can also choose to continue or cease the upgrade. This will result in a dual version of same Cisco ISE deployment, allowing for troubleshooting to occur before the upgrade continues. Once all PSNs are upgraded, the Secondary MnT and Primary PAN is upgraded and joined to the new Cisco ISE deployment.

  • Because this upgrade process requires limited technical expertise, a single administrator can start the upgrade. You can then assign NOC or SOC engineers to monitor and report the upgrade status or open a TAC case.

Advantages

Upgrading from Cisco ISE release 3.2 patch 3 or a later version using the GUI method offers these advantages:

  • The upgrade is automated with minimal intervention.

  • You can choose the upgrade order of the PSNs to ensure continuity whenever possible, especially when redundancy is available between data centers.

  • A single administrator can execute the upgrade without assistance from additional personnel, third-party hypervisors, or network access devices.

Key considerations before the upgrade

You should consider these points before upgrading from Cisco ISE release 3.2 patch 3 or a later version using the GUI (recommended) method.

  • Continuation in failure scenarios: In case of an upgrade failure, you can also choose to continue or cease the upgrade. This will result in a dual version of same Cisco ISE deployment, allowing for troubleshooting to occur before the upgrade continues. While the Cisco URT should indicate any incompatibilities or misconfigurations, if the Proceed field is checked, additional errors may be encountered if due diligence was not acted upon before the upgrade.

  • Rollback mechanism: If an upgrade fails on a PAN or MnT node, the nodes are automatically rolled back. However, if a PSN fails to upgrade, the nodes remain on the same Cisco ISE version and can be fixed while impairing redundancy. Cisco ISE is still operational during this time, and therefore rollback abilities are limited without reimaging.

  • Time required: Each PSN takes around 90-120 minutes to upgrade. When you upgrade a large number of PSNs sequentially, the process takes a significant amount of time. Upgrading in batches reduces the overall time required.

Best practices for the upgrade process

Here is the list of best practices for upgrading from Cisco ISE release 3.2 patch 3 or a later version using the GUI (recommended) method:

  • If you have a large number of PSNs, group them into batches. Upgrade each batch separately.

  • Cisco ISE offers a GUI-based centralized upgrade from the Admin portal. The upgrade process is much simplified, and the progress of the upgrade and the status of the nodes are displayed on the screen.

  • Begin the upgrade only when the nodes are in the active state.

    In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Upgrade > Overview menu option lists all the nodes in your deployment, the personas that are enabled on them, the version of ISE installed, and the status (indicates whether a node is active or inactive) of the nodes.

GUI-based upgrade options

Depending on your deployed Cisco ISE, you can select one of these options in the Administration > System > Upgrade > Upgrade Selection page to upgrade your Cisco ISE deployment:

  • Full upgrade

  • Split upgrade


Note

Consider these pointers when upgrading Cisco ISE using GUI-based upgrade options:

  • In Cisco ISE release 3.2 and later, you must use both the URT and UI prechecks with the Split Upgrade method. For the Full Upgrade method, only UI prechecks are required.

  • Although these GUI upgrade methods are available from earlier releases onwards, you must run at least Cisco ISE 2.7 patch 4 to upgrade to Cisco ISE 3.2 and later.

  • Do not install or roll back a patch on any node using the CLI while another upgrade is in progress through the GUI or CLI upgrade options.

Full upgrade

Full upgrade is a multistep process that

  • upgrades all Cisco ISE nodes simultaneously

  • completes the upgrade faster than the split upgrade process

  • makes the application services unavailable as all nodes are upgraded in parallel

  • supported for all latest Cisco ISE releases.

To upgrade Cisco ISE using Full upgrade option, complete these steps:

  1. Start the upgrade

  2. Initiate prechecks

  3. Start the staging process

Start the upgrade

To start the upgrade for your Cisco ISE deployment, complete these steps:

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Upgrade.

Step 2

In the Upgrade Selection window, click Full Upgrade. Next, click Start Upgrade.

Step 3

Click Next in the Welcome window to start the upgrade workflow.

Step 4

To avoid any blockers or downtime during the upgrade process, complete all the tasks listed in the Checklist window.

Step 5

Click Print Checklist (optional) to download the checklist for your reference.

Step 6

Check the I have reviewed the checklist check box after you have verified the items listed in the upgrade checklist. Click Next.

The Prepare to Upgrade window appears.

Initiate prechecks

Follow these steps to initiate the prechecks for your Cisco ISE deployment:

Procedure

Step 1

From the Repository drop-down list, choose the repository where your upgrade bundle is stored.

Step 2

From the Bundle drop-down list, choose the upgrade bundle.

Step 3

All the patch releases are listed in the Patch drop-down list. Choose the patch for the Cisco ISE release to which you are upgrading.

Step 4

Click Start Preparation to validate all the Cisco ISE components and to generate a report for your deployment.

During the upgrade process, Cisco ISE performs several checks.

Precheck list

Description

Repository Validation

Checks whether the repository is configured for all nodes.

Bundle Download

Downloads and prepares the upgrade bundle for all nodes.

Memory Check

Checks whether 25 percent memory space is available on the PAN or standalone node, and one GB memory space is available in all the other nodes.

PAN Failover Validation

Checks if PAN high-availability is enabled. Before you start the upgrade, you will receive a notification that PAN high availability will be disabled.

Scheduled Backup Check

Checks whether the scheduled backup is enabled.

Note

 

This check is not mandatory for the upgrade process.

Config Backup Check

Checks whether the configuration backup was completed recently. You can only start the upgrade process after you complete the backup.

Configuration Data Upgrade

Upgrades the configuration data on the database clone and creates an upgraded data dump. This check starts after you download the bundle.

Platform Support Check

Checks if your deployment uses supported platforms. The system verifies that hardware includes at least 12-core CPUs, a 300-GB hard disk, and 16-GB memory, and that you use ESXi version 6.5 or later.

Deployment Validation

Checks if the deployment node is in sync or still in progress.

DNS Resolvability

Verifies that both forward and reverse lookups for host name and IP address are working correctly.

Trust Store Certificate Validation

Checks if the trust store certificate is valid or expired.

System Certificate Validation

Checks if each node’s system certificate is properly validated.

Disk Space Check

Checks if the hard disk has enough free space so you can continue the upgrade process.

NTP Reachability and Time Source Check

Checks if you configured NTP and verifies the time source is an NTP server.

Load Average Check

Checks the system load at defined intervals. You can set the frequency to one, five, or 15 minutes.

Services or Process Failures

Shows you whether the service or application is running or has failed.
If a component is inactive or has failed, the system displays it in red. You will receive troubleshooting suggestions. Depending on the criticality of the component failure, you can proceed with the upgrade process, or you must resolve the issue before continuing.

Field

Description

Refresh Failed Checks

This option refreshes only the failures highlighted in red. You must resolve these failures before performing an upgrade. Warnings highlighted in orange do not prevent the upgrade, but they may affect Cisco ISE functionality later. Click the Refresh icon next to each warning to update the checks after resolving issues.

Expand to Show

Click this icon to see additional information about each node and its status.

Information

Click this icon to see more information about each component.

Download Report

Click this option to get a copy of the generated reports.

Cisco ISE displays the estimated time required to stage and upgrade your deployment. The calculation uses these factors:

  • Network speed

  • Node configuration, including the number of processors, RAM, and hard disk.

  • Database data size

  • Time taken by the node to start the application server.

Note

 

All the prechecks, except the Bundle Download and Configuration Data Upgrade checks, expire automatically three hours after system validation is initiated.

Start the staging process

Before you begin

Follow these steps to start the staging process for your Cisco ISE deployment:

Procedure

Step 1

After you complete the prechecks for all nodes, click Start Staging to begin the staging process.

During upgrade staging, the system copies the upgraded database file to all nodes. The system also backs up configuration files for each node.

If upgrade staging on a node is successful, the system displays it in green. If upgrade staging fails for a node, the system displays it in red and provides troubleshooting suggestions.

Click the Refresh Failed Nodes icon to reinitiate the upgrade staging for the failed nodes.

Step 2

Click Next to proceed to the Upgrade Nodes window.

The Upgrade Nodes window shows the overall upgrade progress and the status for each node in your deployment.

Step 3

Click Start to initiate the upgrade process.

Just before the upgrade procedure completes, the system displays the message:

The system is about to upgrade. Logging out.

Step 4

Click OK to proceed.

Note

 

You can log in to the secondary PAN again to monitor the progress of the upgrade.

Use the secondary PAN dashboard to monitor the primary PAN upgrade status. After you upgrade the primary PAN, use the primary PAN dashboard to monitor all Cisco ISE nodes.

An active Cisco ISE Tier License is required to monitor the upgrade process. The Cisco ISE Evaluation License is sufficient to view the upgrade process. You can view and monitor the upgrade process only if an active license is present. For more information, see "Licensing" in the Cisco ISE Administrator Guide, Release 3.3.

Note

 
To view the Summary window later, do not click the Exit Wizard option in this window.

Step 5

Click Next in the Upgrade Nodes window to check whether all the nodes are upgraded successfully.

If any nodes fail, a dialog box displays information about the failed nodes.

Step 6

Click OK in the dialog box to deregister the failed nodes from the deployment.

After completing the upgrade process, view and download the diagnostic upgrade reports for your deployment in the Summary window. Verify and download the upgrade summary reports containing details such as

  • Checklist

  • Prepare to Upgrade

  • Upgrade Report, and

  • System Health checklist items.

Split upgrade from the GUI

Split upgrade is a multistep process that

  • upgrades your Cisco ISE deployment while other services remain available to you

  • updates the network or load balancers to keep nodes available for authentication

  • can limit downtime by dividing nodes into batches and upgrading each batch in sequence

  • might take longer than a full upgrade

  • can be used for upgrading from Cisco ISE release 3.2 patch 3 and later to Cisco ISE release 3.3 and later.

A new split upgrade framework was introduced in Cisco ISE release 3.2 patch 3 and later releases to improve stability and reduce downtime.

The new split upgrade workflow provides these advantages:

  • Prechecks are completed before the proceeding phase of the upgrade.

  • The data upgrade occurs during the precheck phase. This process reduces the upgrade time and prevents the system from becoming unusable due to data upgrade issues.

  • You can select PSNs and MnT nodes during the first iteration with the secondary PAN or during the last iteration with the primary PAN. The selected MnT nodes can be primary or secondary.

  • If you select PSNs and MnT nodes in the same iteration, they are upgraded simultaneously, which further reduces upgrade time.

To upgrade Cisco ISE using the Split Upgrade, complete these steps:

  1. Prepare for upgrade

  2. Initiate preparation

  3. Start staging

Prepare for upgrade

Follow these steps to prepare for Split Upgrade:

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Upgrade.

Step 2

In the Upgrade Selection window, click Split Upgrade. A warning message appears. The message states that the Precheck Report will be cleared if the upgrade type is changed to Split Upgrade. It also states that ISE Services will continue to work during the Precheck Execution and Staging Nodes stages. Click OK to continue.

Step 3

Click Start Upgrade.

Step 4

Click Let's Do It in the Welcome window to start the upgrade workflow.

Step 5

Complete all the tasks listed in the Checklist window to avoid delay or downtime during the upgrade process.

Step 6

(Optional) Click Print Checklist to download the checklist for your reference.

Step 7

After you have verified the items listed in the upgrade checklist, check the I have reviewed the checklist check box. Then click Next.

The Node Selection window appears.

Step 8

Check the check boxes next to the nodes that you want to upgrade in the current iteration.

Note

 

  • The secondary PAN is selected by default in the first iteration of the upgrade. The primary PAN cannot be selected during the first iteration or in subsequent iterations until all other nodes are upgraded or selected for upgrade. For the first iteration, you may select the primary MnT, the secondary MnT, and any number of PSNs.

  • If nodes other than the secondary PAN are selected in the first iteration, the upgrade occurs in two batches. The secondary PAN is upgraded in the first batch. The remaining selected nodes are then upgraded simultaneously in the second batch.

  • The PSNs and MnT nodes can be upgraded in parallel in any iteration.

  • It is recommended that you select 15 nodes or fewer per iteration during the upgrade process.

Step 9

Click Next.

The Prepare to Upgrade window opens.

Initiate preparation

Follow these steps to initiate preparation for Split Upgrade:

Procedure

Step 1

From the Repository drop-down list, choose the repository in which your upgrade bundle is stored.

Note

 

If you use an SFTP repository, add the crypto host key on all nodes using the CLI.

Step 2

From the Bundle drop-down list, choose the upgrade bundle.

All the patch releases are listed in the Patch drop-down list. Choose the latest patch for the Cisco ISE release you are upgrading to.

Step 3

Click Start Preparation to validate all the Cisco ISE components and to generate a report for your deployment.

Cisco ISE checks the following during the upgrade process.

Note

 

  • The Bundle Download is triggered on all the selected nodes, including the primary PAN during the first iteration. During later iterations, it is triggered only for the selected nodes.

  • The Scheduled Backup Check and Config Backup Check happens only in the first iteration.

Precheck List

Description

Repository Validation

Checks whether the repository is configured for all the nodes.

Bundle Download

Downloads and prepares the upgrade bundle for all the nodes.

Memory Check

Checks whether 25 percent of memory space is available on the PAN or standalone node, and 1 GB of memory space is available in all the other nodes.

Patch Bundle Download

Downloads the patch bundle for the selected nodes.

PAN Failover Validation

Checks whether PAN high availability is enabled.

You receive a notification that PAN high availability will be disabled before the upgrade begins.

Scheduled Backup Check

Checks whether the scheduled backup is enabled.

Note

 

This check is not mandatory for the upgrade process.

Config Backup Check

Verify that you have completed a configuration backup recently. The upgrade runs only after you complete the backup.

Configuration Data Upgrade

Runs the configuration data upgrade on the configuration database clone and creates the upgraded data dump. This check starts after the bundle download.

Platform Support Check

Checks the supported platforms in the deployment. It checks whether the system has at least 12-core CPUs, a 300-GB hard disk, and 16-GB memory. It also checks whether the ESXi version is 6.5 or later.

Deployment Validation

Checks the state of each deployment node (whether it is in sync or in progress).

DNS Resolvability

Checks the forward and reverse lookup of host names and IP addresses.

Trust Store Certificate Validation

Checks whether the trust store certificate is valid or has expired.

System Certificate Validation

Checks the system certificate validation for each node.

Disk Space Check

Checks whether the hard disk has enough free space to continue with the upgrade process.

NTP Reachability and Time Source Check

Checks whether NTP is configured in the system and whether the time source is from the NTP server.

Load Average Check

Checks the system load at specified intervals: one minute, five minutes, or 15 minutes.

Services or Process Failures

Indicates the state of the service or application (whether it is running or in a failed state).
If any of the components are inactive or have failed, they are displayed in red. You will receive troubleshooting suggestions. If the failed component is critical to the upgrade, resolve the issue before continuing. Otherwise, you may proceed with the upgrade.

Field

Description

Refresh Failed Checks

This option refreshes only the failures highlighted in red. You must fix these failures before performing an upgrade. Warnings highlighted in orange do not stop the upgrade but may affect Cisco ISE functions after the upgrade. Click the Refresh icon next to each warning message to refresh these checks after resolving the issues.

Expand to Show

Click this icon to see additional information about each node and its status.

Information

Click this icon to view details about each component.

Download Report

Click this option to get a copy of the generated reports.

You can view the estimated time for the upgrade. The system determines the estimated upgrade time using

  • Cisco ISE installation time

  • Node hardware specifications: number of processors, RAM, and hard disk

  • Data size in database, and

  • Time taken by the node to start the application server.

Note

 

All the prechecks, except the Bundle Download and Configuration Data Upgrade checks, expire automatically after three hours of initiating the system validation.

Local prechecks are run on all nodes during the first iteration. However, in subsequent iterations, these checks are run only on the selected nodes.

Start staging

Follow these steps to start the staging process:

Procedure

Step 1

After completing the prechecks for all nodes, click Start Staging to begin the staging process.

The Upgrade Staging window opens.

During upgrade staging, the upgraded database file is copied to all nodes in the iteration. The system also backs up the configuration files on those nodes.

If upgrade staging on a node is successful, a green indicator appears. If upgrade staging fails for a particular node, a red indicator appears. Troubleshooting suggestions are provided as well.

Click the Refresh Failed Nodes icon to reinitiate the upgrade staging for the failed nodes.

Step 2

Click Next to proceed to the Upgrade Nodes window.

In the Upgrade Nodes window, you can see the overall upgrade progress and the status for each node in your deployment.

Step 3

Click Start to initiate the upgrade process.

The upgrade progress can be monitored from the secondary PAN GUI when the primary PAN is getting upgraded, and from the primary PAN GUI when the secondary PAN is getting upgraded.

Note

 

To monitor the upgrade process, you must have an active Cisco ISE Tier License. To view the upgrade process, the Cisco ISE Evaluation License is sufficient. If no active licenses are present, you cannot view or monitor the upgrade process. For more information on Cisco ISE licenses, see the chapter "Licensing" in the Cisco ISE Administrator Guide for your release.

If you click the Exit Wizard option in this window, you will not be able to view the Summary window later.

Step 4

Click Next in the Upgrade Nodes window to check whether all the nodes are upgraded successfully.

If there are any failed nodes, a dialog box with information about the failed nodes is displayed.

Step 5

Click Finish in the Summary window.

You are redirected to the Node Selection window, so that you can select the nodes for the next iteration.

Step 6

Continue with the next iteration by using the same sequence until all the nodes are upgraded.

The Configuration Data Dump Generation precheck is run instead of the Configuration Data Upgrade precheck in all the iterations of the process, except the first.

You do not need to upgrade all nodes in a deployment during the split upgrade process. You may stop after any number of iterations. However, you must clear the Upgrade Tables in the new deployment using the CLI commands application configure ise, then reset upgrade tables from the admin shell.

After the upgrade process is completed, you can view and download the diagnostic upgrade reports that are for your deployment in the Summary window. The upgrade summary reports include relevant details such as the old and new personas of the upgraded nodes, the prechecks performed, and the Prepare to Upgrade and Prepare to Upgrade checklist items.

If you have carried out the Cisco ISE split upgrade, the secondary PAN is promoted to the primary PAN in the process. In the Cisco ISE administration portal, choose Administration > Licensing. In the Cisco Smart Licensing area, click Update. A licensing alarm appears in your Cisco ISE until you update your licenses.

Upgrade using backup and restore (limited to Cisco ISE release 3.2 patch 2)

Overview

The backup and restore method is recommended for Cisco ISE releases up to and including version Cisco ISE release 3.2 patch 2.

Reimaging of the Cisco ISE node is performed during initial deployment and troubleshooting. For upgrades to Cisco ISE release 3.2 patch 2 or earlier, you may also reimage the Cisco ISE node to upgrade a deployment, which allows restoration of the policy onto the new deployment after the new version is installed.

If resources are limited and the new deployment cannot support a parallel Cisco ISE node, the Secondary PAN and MnT are removed from the production deployment and upgraded before other nodes. The nodes are then moved into the new deployment. A configuration and operational backup from the previous deployment is restored on the respective nodes, creating a parallel deployment. This process restores policy sets, custom profiles, network access devices, and endpoints to the new deployment without manual intervention.

Why upgrade using backup and restore method

Cisco recommends the backup and restore method for releases up to and including Cisco ISE release 3.2 patch 2. This procedure starts by creating configuration and operational backups of the existing Cisco ISE deployment and then applying them to the new deployment.

This method helps reinstate your current Cisco ISE deployment node settings and prevents data loss if any issues occur during the upgrade.

Advantages

Upgrading Cisco ISE using backup and restore method (recommended upto Cisco ISE release 3.2 patch 2) offers these advantages:

  • You can restore the configuration settings and the operational logs from the previous Cisco ISE deployment, which prevents data loss.

  • You can select which nodes to reuse for the new deployment.

  • You can upgrade multiple PSNs in parallel, reducing the upgrade downtime.

  • You can stage the nodes outside maintenance windows, reducing the upgrade time during production.

Key considerations before the upgrade

Review these considerations before upgrading Cisco ISE using the backup and restore method (recommended upto Cisco ISE release 3.2 patch 2).

  • Resources required: The backup and restore upgrade process requires additional resources. Reserve these resources for the Cisco ISE deployment before releasing them. If you reuse existing hardware, you must balance the additional load across the nodes that remain online. Therefore, evaluate the current load and latency limits before deployment. This evaluation ensures the deployment can support an increased number of users per node.

  • Personnel required: You will need resources from multiple business units to perform the upgrade. These units include network administration, security administration, data center, and virtualization teams. In addition, you must rejoin the node to the new deployment, restore certificates, rejoin to Active Directory, and wait for policy synchronization. These actions can lead to multiple reloads and require a timeframe similar to that of a net-new deployment.

  • Rollback mechanism: When you reimage the nodes, all information and configuration settings from the previous deployment are erased. Therefore, the rollback mechanism for a backup and restore upgrade follows the same procedure as reimaging the nodes again.

Best practices for the upgrade process

This section presents best practices for upgrading Cisco ISE using the backup and restore method (recommended upto Cisco ISE release 3.2 patch 2).

  • Create a standalone environment or dedicate load balancers that switch the virtual IP address for RADIUS requests.

  • You can start the deployment process well before the maintenance window. Then, point the user load balancer to the new deployment.

  • If you use RSA SecurID Identity Sources, when you add a new PSN, you must generate a new configuration file with all the PSNs at the primary instance of your RSA Authentication Manager.


    Note

    To avoid generating a new RSA configuration every time you add a new PSN, you must know the IP address of all the nodes that you are going to add to the deployment before starting the backup and restore process. Then, you must generate the RSA configuration file using all the IP addresses and upload it to the PAN UI.

Generate and import RSA configuration file

Follow these steps to generate and import the RSA configuration file:

  1. Generate the Authentication Manager configuration file at your primary RSA Authentication Manager Security Console instance, with all the IP addresses of all the nodes, including those that are not in the deployment.

  2. Import the new configuration file to PAN UI.


    Note

    You must clear the node secret on your RSA Authentication Manager before uploading the new RSA configuration file. This helps to create a new node secret and share it between Cisco ISE and your RSA Authentication Manager.

  3. Add a new node to the deployment without generating a new configuration file as it is replicated as part of the configuration using the IP addresses that are already present in the imported configuration file.

Process overview

This section presents upgrade steps for Cisco ISE when using the backup and restore method.

  1. Deregister a node: To remove a node from the deployment, deregister the node. For more information about node deregistration or removal, see "Remove a Node from Deployment" section in the Cisco ISE Administrator Guide, Release 3.3.

  2. Reimage a node: To reimage a Cisco ISE node, first remove it from the deployment, then install Cisco ISE. For more information about Cisco ISE installation, see the "Install Cisco ISE" chapter in Cisco ISE Administrator Guide, Release 3.3.

    Apply the latest patch to the newly installed Cisco ISE release.

  3. Back up and restore: Back up and restore the configuration or operational database. For more information about the backup and restore operations, see the "Backup and Restore Operations" section in the Cisco ISE Administrator Guide, Release 3.3.

  4. Assign primary or secondary roles to a node: Assign a primary or secondary role to a node as required. For more information about how to assign a role to a Monitoring and Troubleshooting (MnT) node, see the "Manually Modify MnT Role" section in the Cisco ISE Administrator Guide, Release 3.3.

  5. Join the Policy Service Nodes: To join a Policy Service Node (PSN) to the new deployment, register the node as a PSN. For more information about registering or joining a PSN, see the "Register a Secondary Cisco ISE Node" section in the Cisco ISE Administrator Guide, Release 3.3.


    Note

    After you upgrade Cisco ISE using the backup and restore method, you must manually sync all the nodes in the deployment.

  6. Import certificates: Import the system certificates to the newly deployed nodes in Cisco ISE. For more information about how to import system certificates to a Cisco ISE node, see the "Import a System Certificate" section in the Cisco ISE Administrator Guide, Release 3.3.

Upgrade process

If you are currently using Cisco ISE release 3.0 or later, you can directly upgrade to Cisco ISE release 3.3.

In case you are using a Cisco ISE version that is not compatible with Cisco ISE release 3.3, you need to

  1. firstly upgrade to an intermediate version, compatible with Cisco ISE release 3.3, and then

  2. upgrade from the intermediate version to Cisco ISE release 3.3.

Follow these steps to upgrade to an intermediate Cisco ISE version.
Stage 1: Upgrade secondary PAN and secondary MnT nodes to Cisco ISE release 3.0, 3.1 or 3.2
Before you begin

Restore backup from your existing Cisco ISE to the intermediate Cisco ISE release. If you do not want to retain the older reporting data, skip steps 4 to 6.

Procedure

Step 1

Deregister secondary PAN node.

Step 2

Reimage the deregistered secondary PAN node to the intermediate Cisco ISE release, as a standalone node. After the installation, make this node the PAN in the new deployment.

Step 3

Restore Cisco ISE configuration from the backup data.

Step 4

Deregister secondary MnT node.

Step 5

Reimage the deregistered secondary MnT node to the intermediate Cisco ISE release as a standalone node.

Step 6

Assign primary role to this Mnt node and restore the operational backup from the backup repository. This is an optional step and needs to performed only if you need to report of the older logs.

Step 7

Import ise-https-admin CA certificates from your original Cisco ISE backup repository.
Stage 2: Upgrade secondary PAN and MnT nodes to Cisco ISE release 3.3
Procedure

Step 1

Back up your Cisco ISE configuration settings and operational logs.

Step 2

Deregister the secondary PAN node.

Step 3

Reimage your deregistered secondary PAN node to Cisco ISE release 3.3.

Step 4

Restore Cisco ISE configuration from the backup data and make this node the primary node for your new deployment.

Step 5

Import ise-https-admin CA Certificates from the backup for this node, unless you are using wildcard certificates.

Step 6

Deregister secondary MnT node.

Step 7

Reimage the deregistered Secondary MnT node to Cisco ISE release 3.3.

Step 8

Restore your current Cisco ISE operational backup and add the node as the primary MnT for your new deployment.

Perform this optional step only if you need to generate reports from the older logs.
Stage 3: Join PSNs to Cisco ISE release 3.3
If you have Cisco ISE nodes deployed in multiple sites, then you must

  1. join the PSNs at the site containing secondary PAN and MnT nodes

  2. join PSNs at the other sites, and then

  3. join the PSNs at the site that has primary PAN and MnT nodes of your existing Cisco ISE.

Perform these steps to join PSNs to Cisco ISE release 3.3:

Procedure

Step 1

Deregister the PSNs.

Step 2

Reimage PSN to Cisco ISE release 3.3 latest patch and join PSN to new Cisco ISE release 3.3 deployment.

What to do next

We recommend that you test your partially upgraded deployment at this point. You can do so by checking that logs are present and that the upgraded nodes function as expected.

Stage 4: Upgrade Primary PAN and MnT to Cisco ISE release 3.3

Follow these steps to upgrade Primary PAN and MnT to the new Cisco ISE release:

Procedure

Step 1

Reimage the Primary MnT node and join it as the Secondary MnT to the new deployment.

To preserve data for reporting, restore an operational backup to the Secondary MnT node.

Step 2

Reimage the Primary PAN node and join it as the Secondary PAN to the new deployment.

Upgrade using the CLI

Overview

To upgrade Cisco ISE from the CLI, download the upgrade image to the local node, execute the upgrade, and monitor each node individually throughout the process. While the upgrade sequence is similar to that of the GUI upgrade, this approach is operationally intensive in terms of monitoring and actions.

Upgrading Cisco ISE from the CLI can be complex. Use CLI upgrades only for troubleshooting, as this method requires significant effort.

Advantages of upgrading from this method

The advantages of upgrading Cisco ISE from the CLI are:

  • CLI presents additional logging messages to the administrator while the upgrade is performed.

  • You can choose which nodes to upgrade with more control and upgrade them in parallel. Nodes not being upgraded handle additional load because endpoints are rebalanced across the deployment.

  • You can easily roll back at the CLI because you can instruct scripts to undo previous changes.

  • Because the image resides locally on the node, copy errors between the PAN and the PSNs are eliminated.

Key considerations before the upgrade

You should consider these points before upgrading Cisco ISE using the CLI method.

  • Upgrading your Cisco ISE using CLI requires technical expertise and additional time.

  • The upgrade process using CLI depends on the deployment type.

Upgrade a standalone node

To upgrade a standalone node, complete any one of these two steps:
  • Enter this command directly: 
    application upgrade <upgrade bundle name> <repository name>
  • Enter these two commands in the specified order:
    application upgrade prepare <upgrade bundle name> <repository name>
    application upgrade proceed

You can run the application upgrade <upgrade bundle name> <repository name> command from the CLI on a standalone node that assumes the Administration, Policy Service, pxGrid, and Monitoring personas. Copy the upgrade bundle from the remote repository to the local disk of the Cisco ISE node before running the command. Saving the upgrade bundle to the local disk reduces the time required for the upgrade.

You can also upgrade a standalone node by completing these steps:
  • Run this command to download the upgrade bundle and extract it locally:
    application upgrade prepare <upgrade bundle name> <repository name>

    This command copies the upgrade bundle from the remote repository to the local disk of Cisco ISE node.

  • Run this command after preparing the node for upgrade to complete the process successfully:
    application upgrade proceed

Run the application upgrade prepare <upgrade bundle name> <repository name> and application upgrade proceed commands as described in this section.

Before you begin

Ensure that you have read the instructions in the "Prepare for Upgrade" chapter in this guide.

Procedure

Step 1

Enter this command in the CLI:

application upgrade prepare <upgrade bundle name> <repository name>

Step 2

Log in via SSH and use the show application status ise command to view the progress of the upgrade.

This message appears: % NOTICE: Identity Services Engine upgrade is in progress...

Step 3

Enter the application upgrade proceed command.

Upgrade a two-node deployment

Use these two commands to upgrade a two-node deployment: 
  1. application upgrade prepare <upgrade bundle name> <repository name>
  2. proceed
You do not have to manually deregister the node and register it again. The upgrade software automatically deregisters the node and adds it to the new deployment. When you upgrade a two-node deployment, begin by upgrading only the SAN (node B). After the secondary node upgrade is complete, upgrade the primary node (node A). If you have a deployment set up as shown in this figure, you can proceed with this upgrade procedure.
Figure 1. Cisco ISE two-node administrative deployment
Before you begin

  • Perform a manual backup of the configuration and operational data from the PAN.

  • Enable the Administration and Monitoring personas on both nodes in your deployment.

    If only the PAN has the Administration persona enabled, enable the Administration persona on the secondary node. You must upgrade the SAN first.

    If your two-node deployment has only one Administration node, deregister the secondary node. Each node operates as a standalone node. Upgrade each standalone node, then set up your deployment again after the upgrade.

  • If only one node has the Monitoring persona enabled, enable the Monitoring persona on the other node before you continue.

Procedure

Step 1

Upgrade the secondary node (node B) from the CLI.

The upgrade process automatically removes Node B from deployment and upgrades it. Node B becomes the upgraded primary node when it restarts.

Step 2

Upgrade node A.

The upgrade process automatically registers node A to the deployment and makes it the secondary node in the upgraded environment.

Step 3

Promote node A, now to primary node in the new deployment.

After the upgrade is complete, if the nodes contain old Monitoring logs, run this command and choose 5 (Refresh Database Statistics) on the nodes.
application configure ise

Upgrade a distributed deployment

You must first upgrade the SAN to the new release. For example, if you have a deployment setup as shown in this figure, with one PAN, one SAN, four PSNs, one Primary Monitoring Node (MnT1), and one Secondary Monitoring Node (MnT2), you can proceed with this upgrade procedure.

Figure 2. Cisco ISE deployment before upgrade

Note
Do not manually deregister the node before an upgrade. Use these commands to upgrade to the new release:

  1. application upgrade prepare <upgrade bundle name> <repository name>

  2. proceed

The upgrade process deregisters the node automatically and moves it to the new deployment. If you manually deregister the node before upgrading, ensure you have the PAN license file before starting the upgrade. If you do not have the file (such as when a Cisco partner vendor installed your license), contact the Cisco Technical Assistance Center.

Follow these steps for a smooth upgrade while maintaining deployment integrity and minimizing downtime.

Before you begin

  • If you do not have a SAN in the deployment, configure a PSN to be the SAN before beginning the upgrade process.

  • Ensure that you have read and complied with the instructions given in the Prepare for Upgrade chapter of this guide (Cisco ISE Upgrade Journey, Release 3.3).

  • When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution (both forward and reverse lookups) is mandatory; otherwise, the upgrade fails.

Procedure

Step 1

Upgrade the SAN from the CLI

  • Initiate the upgrade from the CLI on the SAN node.

  • The upgrade process automatically deregisters SAN from the old deployment and upgrades it.

  • Upon restart, SAN becomes the primary node of the new deployment.

  • Each deployment requires at least one Monitoring node; therefore, the upgrade enables the Monitoring persona on SAN, even if it was not previously enabled.

  • If the Policy Service persona was enabled on SAN in the old deployment, it is retained after upgrade.

Step 2

Upgrade a Monitoring node (MnT1 and MnT2)

  • Upgrade one Monitoring node to the new deployment.

  • If the PAN in the old deployment also serves as the Primary Monitoring node, you cannot upgrade the Primary Monitoring node before the Secondary Monitoring node. Otherwise, upgrade the Primary Monitoring node first.

  • The Primary Monitoring node begins collecting logs from the new deployment, accessible via the PAN dashboard.

  • If only one Monitoring node exists in the old deployment, enable the Monitoring persona on PAN before upgrading it.

    Note

     

    Changing node personas causes a Cisco ISE application restart; wait for the node to come back online before proceeding.

  • Upgrading the Monitoring node takes longer due to operational data migration.

  • If the PAN in the new deployment did not have the Monitoring persona enabled previously, disable it on that node, which also triggers an application restart.

Step 3

Upgrade PSNs

  • Next, upgrade the PSNs.

  • Multiple PSNs can be upgraded in parallel, but upgrading all simultaneously may cause network downtime.

  • After upgrade, PSNs register with the new deployment's primary node (SAN).

  • PSNs retain their personas, node group assignments, and profiling probe configurations.

Step 4

Upgrade the second Monitoring node (if applicable)

  • If a second Monitoring node exists in the old deployment:

    • Enable the Monitoring persona on PAN (primary node in the old deployment). This is required as each deployment must have at least one Monitoring node. Persona changes cause an application restart; wait for the node to come back online.

    • Upgrade the Secondary Monitoring node to the new deployment.

    • Ensure all nodes except the PAN have been upgraded before this step.

Step 5

Upgrade the PAN

  • Upgrade the PAN last.

  • After upgrade, PAN joins the new deployment as a SAN.

  • You can promote this SAN to Primary node if needed.

  • Post-upgrade, if the Monitoring nodes contain old logs, run this command:

    application configure ise

  • Select option 5 (Refresh Database Statistics) on those nodes.

Verify the upgrade process

After completing the upgrade, it is important to verify that your deployment is functioning correctly. Run network tests to confirm that you can authenticate and access network resources as expected.

If the upgrade fails due to configuration database issues, the system will automatically roll back the changes.

Use these options to verify that the upgrade was successful.

Procedure

Step 1

Check the upgrade progress by reviewing the ade.log file. Use this command from the Cisco ISE CLI to display the log: 

show logging system ade/ADE.log.?

You can filter the log for upgrade steps with the help of the keyword STEP. The log entries will show progress similar to the following: 

  • info:[application:install:upgrade:preinstall.sh] STEP 0: Running pre-checks
  • info:[application:operation:preinstall.sh] STEP 1: Stopping ISE application...
  • info:[application:operation:preinstall.sh] STEP 2: Verifying files in bundle...
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 3: Validating data before upgrade...
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 4: De-registering node from current deployment.
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 5: Taking backup of the configuration data...
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 6: Registering this node to primary  of new deployment...
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 7: Downloading configuration data from primary  of new deployment...
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 8: Importing configuration data...
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 9: Running ISE configuration data upgrade for node specific data...
  • info:[application:operation:isedbupgrade-newmodel.sh] STEP 10: Running ISE M&T database upgrade...
  • info:[application:install:upgrade:post-osupgrade.sh] POST ADEOS UPGRADE STEP 1: Upgrading Identity Services Engine software... 
  • info:[application:operation:post-osupgrade.sh] POST ADEOS UPGRADE STEP 2: Importing upgraded data to 64 bit database...

  • Search the log for this string to confirm a successful upgrade:

    Upgrade of Identity Services Engine completed successfully.

Step 2

Verify the build version by entering this command:

show version

Step 3

Confirm that all Cisco ISE services are running by entering this command:

show application status ise

Roll back to the previous version

In rare cases where you need to reimage your Cisco ISE appliance, you should use the previous ISO image and restore the data from the backup file. After restoring the data, you can register the appliance with the earlier deployment. Enable the personas as they were in the previous deployment. It is important to back up the Cisco ISE configuration and monitoring data before starting the upgrade process.

Upgrade failures sometimes occur due to issues in the configuration and monitoring database. In these cases, the system does not roll back automatically. When this happens, the system displays a notification indicating that the database was not rolled back and provides an upgrade failure message. You must then manually reimage your system, install Cisco ISE, and restore the configuration data and and monitoring data if the Monitoring persona is enabled..

Before performing rollback or recovery, generate a support bundle using the backup-logs command and save it in a remote repository. This support bundle can be used for troubleshooting and submitted to Cisco Technical Assistance Center (TAC) if needed.