 |
===== Backup and Restore method to upgrade ISE to 3.x====
Current Deployment: two ISE nodes
ISE01: Primary Admin Node, Secondary Monitoring Node.
ISE02: Primary Monitoring Node, Secondary Admin Node.
Upgrade steps:
1. Backup ISE configuration and optional operation data.
2. Export Certificates from both nodes (including private keys)
3. Export Running Configuration from both nodes into separate notepad files
4. Disconnect or shutdown ISE02
5. Build a new VM ISE3.x node with the same IP address, hostname, DNS, NTP, Domain Name and all other settings as ISE02 (all details are saved in the notepad file).
6. Restore backup to this new VM, this VM will be in standalone mode.
7. Import certificate and private key, install the patch to this new VM.
8. Make this new VM as Primary PAN/MnT, verify its functionality.
9. Disconnect or Shutdown ISE01
10. Build the 2nd new VM ISE3.x with the same IP address, hostname, DNS, NTP, Domain Name and all other settings as ISE01 (all details are saved in the notepad file)
11. Import certificate and private key, install the latest patch to the 2nd new VM.
12. Join the 2nd new VM to the new deployment as the Secondary PAN.
13. Promote the 2nd new VM as Primary PAN, verify its functionality.
Current Deployment: two ISE nodes
ISE01: Primary Admin Node, Secondary Monitoring Node.
ISE02: Primary Monitoring Node, Secondary Admin Node.
Upgrade steps:
1. Backup ISE configuration and optional operation data.
2. Export Certificates from both nodes (including private keys)
3. Export Running Configuration from both nodes into separate notepad files
4. Disconnect or shutdown ISE02
5. Build a new VM ISE3.x node with the same IP address, hostname, DNS, NTP, Domain Name and all other settings as ISE02 (all details are saved in the notepad file).
6. Restore backup to this new VM, this VM will be in standalone mode.
7. Import certificate and private key, install the patch to this new VM.
8. Make this new VM as Primary PAN/MnT, verify its functionality.
9. Disconnect or Shutdown ISE01
10. Build the 2nd new VM ISE3.x with the same IP address, hostname, DNS, NTP, Domain Name and all other settings as ISE01 (all details are saved in the notepad file)
11. Import certificate and private key, install the latest patch to the 2nd new VM.
12. Join the 2nd new VM to the new deployment as the Secondary PAN.
13. Promote the 2nd new VM as Primary PAN, verify its functionality.
14. Contact Cisco to convert Smart Licenses.
=========================
=========================
Upgrade may take four hours per node.
Disable automatic PAN Failover if it is configured.
Backup from node A then restore it node B is allowed, both will have same hostname but different IP. Don't change node B hostname, otherwise will cause certificate issue.
=======================
=======================
1. GUI
Administration > Maintenance > Patch, click install to upload patch package from local PC
no patch installation progress in GUI, run the following command in CLI to see the patching log
show logging system ade/ADE.log tail | include patch
Patch installation is started from the P-PAN, then S-PAN automatically.
2. CLI
Copy patch package to ISE repository
run command:
Patch install <patch_file_name> <repository_name>
GUI install patch on both ISE automatically (P-PAN, then S-PAN), no installation progress displayed on GUI, can check log:
sh logging system ade/ADE.log tail
CLI only install patch on local ISE.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215406-patch-installation-on-ise-and-faq-durin.html
=====================================
You can either use Health Check or Upgrade Readiness Tool (URT) to run system diagnosis before upgrade.
URT can detect and fix issues.
URT need be run on the secondary PAN, no downtime to run this tool.
########################Install URT tool###############
Lab:
ISE30-A and IE30B on patch 8
URT bundle is copied to repository called "FTP"
ISE30-B/admin# show repository FTP
ise-patchbundle-3.0.0.458-Patch8-23080321.SPA.x86_64.tar.gz
ise-patchbundle-3.3.0.430-Patch3-24070910.SPA.x86_64.tar.gz
ise-urtbundle-3.3.0.430a-1.0.0.SPA.x86_64.tar.gz
ISE30-B/admin#
ISE30-B/admin# application install ise-urtbundle-3.3.0.430a-1.0.0.SPA.x86_64.tar.gz FTP
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...
###########################################
# Installing Upgrade Readiness Tool (URT) #
###########################################
Checking ISE version compatibility
- Successful
Checking ISE persona
- Successful
Along with Administration, other services (MNT,PROFILER,SESSION) are enabled on this node. Installing and running URT might consume additional resources.
Do you want to proceed with installing and running URT now (y/n):y
Checking if URT is recent(<45 days old)
- Note: URT is 347 days old and its version is 1.0.0. There might be a recent URT bundle on CCO, please verify on CCO
Do you want to proceed with this version which is 347 days old (y/n):y
Proceeding with this version of URT itself
Installing URT bundle
We can't re-run URT, have to re-install it:
ISE30-B/admin# show application
<name> <Description>
ise Cisco Identity Services Engine
Patches: 8
urt Cisco ISE - Upgrade Readiness Tool
ISE30-B/admin# application remove urt
Continue with application removal? (y/n) [n] ? y
Application successfully uninstalled
ISE30-B/admin#
-------
Lab Upgrade ISE3.1 P8 to ISE3.3 P4
1. Health Checks passed, and run url if possible
2. Upgrade method
Choose Split Upgrade
Choose Split Upgrade
4. Upgrade
Seagate is repository name in the lab.
Downloading...
After this upgrade ISE-B becomes the Primary PAN, ISE-A is the secondary PAN.
Comments
Post a Comment