Upgrade Cisco ISE 2 Node Deployment from 2.4 to 2.7 via GUI
Info
This guide will only contain information on how to upgrade from the GUI there are other articles out there explaining how to complete the upgrade from the CLI but in this case, I wanted to try the GUI for the upgrade process. The following article skips using the URT tool but if you really want to be on the safe side then you can run this from the CLI.
Pre-Requisites
There are a few prerequisites to follow before carrying out the upgrade from 2.4 to 2.7.
- The following files need to be downloaded from Cisco Software, obviously, this is dependent on the upgrade path but in my case, it is the following files.
- ise-patchbundle-2.4.0.357-Patch13-20080314.SPA.x86_64.tar.gz
- ise-upgradebundle-2.2.x-2.6.x-to-2.7.0.356.SPA.x86_64.tar.gz
- ise-patchbundle-2.7.0.356-Patch3-21020102.SPA.x86_64.tar.gz
- It is always recommended to check the md5 hash of the downloaded files
- Make sure you have a copy of the credentials you used to join ISE to Active Directory if you are using this feature.
Maintenance Patch
The first part of the upgrade process is to make sure that you install the latest patch in the 2.4 release, in my case this is patch 13. This is not a requirement but is advisable by Cisco.
When you install the patch in a 2 node deployment the Primary PAN will upgrade and if successful it will upgrade the secondary if the upgrade fails on the Primary node the secondary node does not attempt to install the patch.
Make sure that that the “Enable PAN Auto Failover” box is unticked as this is only needed when there are a total of 3 nodes.
When the patch is in progress you will see the following from the GUI but you will also get logged out while the Primary PAN is getting patched.
Installation of the patch on two nodes can take around 1.5 hours so go away and have a coffee.
Backup Procedure
Once the patch has installed we need to take a backup of Configuration Data, Operational Data, and export any certificates, this stage is extremely important as this will help you restore data in case of an upgrade failure.
To backup just hit the Backup Now button and choose a relevant place to store your backups, in my case I’m backing up to an SFTP server. Make sure you backup the Configuration Data and Operational Data.
It is always worth carrying out an Operational Data Purging before you start the upgrade, but if your data retention period is already set to something low it might not be worth doing. If you want to clear some space then the Operational Data Purging is located under system > Maintenance and Operational Data Purging.
Upgrade
Reminder – It is recommended to run the URT tool from the CLI, but in my case, I’m only using ISE as a TACAC’s server so I’m happy to proceed without doing this.
To start the upgrade process go to System > Upgrade, this will show a checklist of things that need to be checked before the upgrade which you should of already completed in the above steps.
Once you have completed the checklist then you can tick the box “I have reviewed the checklist”
The next step is to download the required upgrade bundle to the ISE servers, by selecting both servers and hitting download, this will then present you with a dropdown box to select your repository where your upgrade bundle is located, once selected select Begin Download, this will then download the bundle file to the ISE servers.
Once the download is complete both nodes will show the status of “Ready for upgrade” select both nodes and press continue.
You will then be presented with both nodes, the Primary Node will be greyed out as the secondary node has to be upgraded first. Tick the box on the left-hand side of the Secondary Node and move it over to the deployment. You will be presented with a confirmation window explaining that the secondary admin node will become the primary.
Then you will need to follow the same process for the primary node which will be assigned sequence 2 in the new deployment.
There is a tick box to continue in an upgrade failure, I would not recommend using this as we want to use the auto rollback feature in case of a failover.
Then hit upgrade which will present a warning and then hit upgrade.
You will then be presented with the upgrade status and estimated time, fingers crossed this doesn’t take 600 minutes!
Promote Secondary Node to Primary
Eventually I return, it didn’t take the 600 minutes it was around 2.5 hours for 2 nodes to upgrade.
Now we need to promote the original primary node back to primary as after upgrade it will stay as a secondary until you manually promote it back.
Log in to your primary node and you will be loaded into the NTP configuration section, you then need to go into the deployment section, which will present you with the option to promote the secondary back to primary.
It takes around 10 minutes to be promoted back to Primary but the time can vary as ISE has to restart services on both nodes, you will find that this is normally a slow process. Be aware that you will lose access to the GUI while the secondary is being promoted.
Once you can login to the Primary Node again it’s worth checking authentication again the ISE server to make sure that everything is still functioning like it was before the upgrade. In my case I can test TACAC’s on some switches and then I can check the TACAC’s log to make sure everything looks ok.
Maintenance Patch
Eventually, we are at the last step which is to upgrade to patch 3 in the 2.7 release.
This is the exact same steps as we did at the beginning where we upgraded to patch 13 in the 2.4 release.
So back to the maintenance section and upload the patch like below and hit the install button.
You will lose access to administer the device while the patch is installing on the Primary node, again this will take a while as the ISE server needs to reboot and restart all services.
Once the Primary Node has returned you can log back in and check the node status of both nodes.
Hopefully, this article has been helpful, I wrote this as I have normally carried out upgrades via CLI so I wanted to test out the GUI to see how successful it would be.