Upgrade sequence of the nodes

You can upgrade Cisco ISE using the GUI, the backup and restore feature, or the CLI.

If you use the GUI method to upgrade, you can select the order in which nodes are upgraded. Upgrade the nodes in this order to minimize downtime, maximize resiliency, and make rolling back easier.

Complete these tasks before starting the upgrade:

  • Back up all configuration and monitoring data.
  • Export the internal CA key and certificate chain.
  • Back up server certificates for all Cisco ISE nodes.

The upgrade process for nodes occurs in this order:

  1. SAN At this point, the PAN remains at the previous version and can be used for rollback if the upgrade fails.
  2. Primary Monitoring Node or Secondary Monitoring Node If you have a distributed deployment, upgrade the nodes available in the site with the SAN.
  3. PSNs After upgrading a set of PSNs, verify the success of the upgrade (see Verify the upgrade process) and run network tests to ensure the new deployment works as expected. If the upgrade is successful, you can upgrade the next set of PSNs.
  4. Secondary Monitoring Node or Primary Monitoring Node
  5. PAN After upgrading the PAN, rerun upgrade verification and network tests.
     Note

    If the upgrade fails when registering the PAN, the system initiates a rollback and changes the node to standalone mode. Use the CLI to upgrade the node as a standalone. Then register it to the new deployment as a SAN.

After the upgrade, the SAN becomes the PAN, and the original PAN becomes the SAN. In the Edit Node window, click Promote to Primary to make the SAN the PAN, if needed.

If the administration nodes also have the monitoring persona, use the node sequence shown in this table.

Node personas and their upgrade sequence

Node personas in the current deployment

Upgrade sequence

SAN/Primary Monitoring Node, PSN, PAN/Secondary Monitoring Node

  1. SAN/Primary Monitoring Node
  2. PSN
  3. PAN/Secondary Monitoring Node

SAN/Secondary Monitoring Node, PSN, PAN/Primary Monitoring Node
  1. SAN/Secondary Monitoring Node
  2. PSN
  3. PAN/Primary Monitoring Node

SAN, Primary Monitoring Node, PSN, PAN/Secondary Monitoring Node
  1. SAN
  2. Primary Monitoring Node
  3. PSN
  4. PAN/Secondary Monitoring Node

SAN, Secondary Monitoring Node, PSN, PAN/Primary Monitoring Node
  1. SAN
  2. Secondary Monitoring Node
  3. PSN
  4. PAN/Primary Monitoring Node

SAN/Primary Monitoring Node, PSN, Secondary Monitoring Node, PAN
  1. SAN/Primary Monitoring Node
  2. PSN
  3. Secondary Monitoring Node
  4. PAN

SAN/Secondary Monitoring Node, PSNs, Primary Monitoring Node, PAN
  1. SAN/Secondary Monitoring Node
  2. PSN
  3. Primary Monitoring Node
  4. PAN

You will get an error message "No SAN in the Deployment" under these circumstances:

  • There is no SAN in the deployment.
  • The SAN is down.
  • The SAN is upgraded and moved to the upgraded deployment. This occurs when you use the Refresh Deployment Details option after upgrading the SAN.

To resolve this issue, complete one of these tasks:

  • If the deployment does not have a SAN, configure a SAN and retry upgrade.
  • If the SAN is down, bring up the node and retry the upgrade.
  • If the SAN is upgraded and moved to the upgraded deployment, use the CLI to manually upgrade the other nodes in the deployment.

Choose your upgrade method

You can choose an upgrade process based on your technical expertise and the time available for the upgrade. This release of Cisco ISE supports these upgrade processes:

  • Upgrade using the GUI
  • Upgrade using backup and restore (limited to Cisco ISE release 3.2 patch 2)
  • Upgrade using the CLI

This table compares Cisco ISE upgrade methods.

Cisco ISE upgrade method comparison

Comparison factors

Upgrade using the GUI

Upgrade using backup and restore (limited to Cisco ISE release 3.2 patch 2)

Upgrade using the CLI

Process Type

Long

Fast

Longer

Administration required

Less

More

More

Difficulty level

Easy

Hard

Moderate

VMs

Each PSN is upgraded in parallel.

If there is enough capacity, new VMs can be prestaged and joined immediately to the new PAN.

Each PSN is upgraded, however, they can be done in parallel.

Upgrade time

Less (because each PSN is upgraded in parallel).

Least (because PSNs are imaged with new version instead of being upgraded).

Less (because each PSN is upgraded in parallel)

Personnel required

Fewer manual interventions are required because the upgrade process is automated.

Stakeholders from multiple business units transfer configuration settings and operational logs.

Technical expertise on Cisco ISE is required.

Rollback options

Easy

Difficult (requires reimaging of the nodes)

Easy

Upgrade using the GUI

GUI-based upgrade options

Depending on your deployed Cisco ISE, you can select one of these options in the Administration > System > Upgrade > Upgrade Selection page to upgrade your Cisco ISE deployment:

  • Full upgrade
  • Legacy Split Upgrade Legacy Split Upgrade: Split upgrade is a multi-step process that upgrades your Cisco ISE deployment while keeping services available. This method lets you select which nodes to upgrade.
 Note

Consider these pointers when upgrading Cisco ISE using GUI-based upgrade options:

The Full Upgrade method is supported for Cisco ISE 2.6 patch 10 and above, Cisco ISE 2.7 patch 4 and above, and Cisco ISE 3.0 patch 3 and above. The Split Upgrade method can be done on any supported Cisco ISE version and patch.

  • Although these GUI upgrade methods are available from earlier releases onwards, you must run at least Cisco ISE 2.7 patch 4 to upgrade to Cisco ISE 3.2 .
  • Do not install or roll back a patch on any node using the CLI while another upgrade is in progress through the GUI or CLI upgrade options.

Upgrade using the CLI

Upgrade using backup and restore(Recommended) (limited to Cisco ISE release 3.2 patch 2)