ISE upgrade from 2.2/2.4 to 2.7 in a distributed deployment


  1. Check if the existing ISE VM specifications (RAM, CPU, Hard disk etc.) match with the ISE 2.7 requirements
  2. Run URT (Upgrade readiness tool) on Secondary Admin node to check if the upgrade will be successful. You can note down how much time it will take to upgrade each ISE node after running URT.
  3. Check if all your NADs (switches, Firewalls, wireless devices etc.) are compatible with ISE 2.7.
  4. Upgrade to the latest patch in the existing version before starting the upgrade.
  5. Take the screenshot of each PSN profiler configuration
  6. Take operational and configuration data backup and copy the backup files to remote repository. You should take the backup at least one day prior to the scheduled activity as this may take longer time depending on your deployment.
  7. Export all Local certificates along with private keys from all nodes in deployment  
  8. Export all trusted certs from PAN node and record configuration.
  9. Disable the automatic PAN failover.               
  10. Disable scheduled backups.
  11. Purge the operational data to improve upgrade performance. (Optional)
  12.  Verify the Disk size   of each ISE node that it has enough free space.        
  13.   Download the below upgrade bundle from Cisco site and keep it in remote repository.                               ise-upgradebundle-2.2.x-2.6.x-to-   
  14.  If your ISE deployment is integrated to Active directory, then ensure that you have required AD credentials to rejoin the Cisco ISE with AD after upgrade.

Upgrade Methods:

You can upgrade your ISE deployment in one of the below 3 methods:

  1. Upgradation from ISE GUI
  2. Upgradation from ISE CLI
  3. Upgradation using Backup and restore method

In this document, I will explain how to upgrade using CLI method.

Upgrade sequence of nodes using CLI method:

We need to upgrade the ISE nodes in the below sequences in a distributed deployment:

1. Initiate the upgrade on SAN (Secondary Admin Node) node                                                                  

2. Initiate the upgrade on Primary monitoring node                                               

3. Initiate the upgrade on PSN nodes: If you have enough redundancy in the network for PSNs, then you can choose to upgrade multiple PSNs a time. This will reduce the total upgrade time for the deployment.                                    

4. Initiate the upgrade on Secondary Monitoring node  (Before you upgrade the Secondary MnT nod, you need to enable MnT persona in the PAN as each deployment much have atleast one Mnt node. This will cause the PAN to restart the applications. Wait for the PAN node to up and running, then start the Secondary MnT upgrade)                                      

5. Initiate the upgrade on PAN (Primary Admin Node) node

The upgradation from CLI will be same for each node. However, the MnT nodes may take longer than other nodes for upgradation.

Below are the commands to upgrade from CLI:

  1. Application upgrade Cleanup: To cleanup the files from last upgrade.
  2. Application upgrade Prepare ise-upgradebundle-2.2.x-2.6.x-to-   <Repository Name>: This will download the image from repository, then will verify the image and finally prepare the node for upgrade.  You can choose to do cleanup and prepare all ISE nodes parallelly to reduce the total upgrade time.
  3. Application upgrade Proceed: This will cause ISE application to stop and then installation will start. ISE node will be reloaded/restarted after the upgrade.

     Post Upgradation of deployment:

  1. Promote the Original ISE node to become Primary: After the upgrade, the SAN will become the PAN, and the original PAN will become the SAN. To change this, login to current SAN GUI, navigate to Administration > Deployment and in the Edit Node window, click Promote to Primary to promote the SAN to become the PAN (as we have before the upgrade).
  2. Enable the automatic PAN failover
  3. Enable the automatic Operation and configuration backup.
  4. Check the health of each ISE nodes if everything looks good (In ISE home page).
  5. Check the Alarms in ISE home page.

Leave a Reply

Your email address will not be published.