1. No category

PDF - Complete Book (2.56 MB)

Cisco Identity Services Engine Upgrade Guide, Release 1.2
First Published: 2013-01-31
Last Modified: 2013-07-22
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-27087-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
© 2013
Cisco Systems, Inc. All rights reserved.
Preface
• Purpose, page iii
• Audience, page iii
• Document Organization, page iv
• Document Conventions, page iv
• Related Documentation, page vi
• Obtaining Documentation and Submitting a Service Request, page vii
Purpose
This document describes how to upgrade Cisco Identity Services Engine (ISE) software on Cisco ISE appliances
and VMware virtual machines.
You can upgrade Cisco ISE from a previous release or maintenance release to Release 1.2. You can also
migrate from Cisco Secure Access Control System (ACS), Release 5.3, to Release 1.2.
You cannot migrate to Release 1.2 from Cisco Secure ACS 4.x or earlier versions, Cisco Secure ACS 5.1 or
5.2, or from Cisco Network Admission Control (NAC) Appliance.
For information about migrating from Cisco Secure ACS, Release 5.3 to Cisco ISE, Release 1.2, see Cisco
Identity Services Engine, Release 1.2 Migration Tool Guide .
Note
You can directly migrate to Cisco ISE, Release 1.2 only from Cisco Secure ACS, Release 5.3. From Cisco
Secure ACS, Releases 4.x, 5.1, and 5.2, you must upgrade to ACS, Release 5.3 and then migrate to Cisco
ISE, Release 1.2.
Audience
This guide is designed for network administrators, system integrators, and network deployment personnel
who upgrade and configure Cisco ISE software on Cisco ISE 3300 and 3400 Series appliances or on VMware
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
iii
Preface
Document Organization
servers. As a prerequisite to using this upgrade guide, you should be familiar with networking equipment and
cabling and have basic knowledge of electronic circuitry, wiring practices, and equipment-rack installations.
Document Organization
Chapter
Description
Upgrading Cisco ISE
Provides an overview of upgrading Cisco Identity Services Engine (ISE)
to Release 1.2.
Upgrading Standalone and Two Describes how to upgrade a Cisco ISE standalone and two-node
Node Deployments to Cisco ISE, deployments to Release 1.2.
Release 1.2, on page 17
Upgrading a Distributed
Deployment to Cisco ISE,
Release 1.2
Describes how to upgrade a Cisco ISE distributed deployment to Release
1.2.
Recover from Upgrade Failures
Describes how to recover from upgrade failures.
Document Conventions
Convention
Description
^ or Ctrl
Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard.
For example, the key combination ^D or Ctrl-D means hold down the
Control key, then press the D key. (Key labels are in capital letters but
are not case sensitive.)
Bold font
Commands and keywords that the user must enter appear in bold font.
Italic font
Document titles, new or emphasized terms, and arguments for which you
supply values are in italic font.
Courier font
Terminal sessions and information the system displays appear in courier
font.
Bold Courier font
Bold Courier font indicates text that the user must enter.
[x]
Elements in square brackets are optional.
...
An ellipsis (three consecutive nonbolded periods without spaces) after
a syntax element indicates that the element can be repeated.
|
A decision bar indicates a choice within a set of keywords or arguments.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
iv
OL-27087-01
Preface
Document Conventions
Convention
Description
[x | y]
Optional alternative elements are grouped in brackets and separated by
decision bars.
{x | y}
Required alternative elements are grouped in braces and separated by
decision bars.
string
A nonquoted set of characters. Do not use quotation marks around the
string or the string will include the quotation marks.
<>
Angle brackets indicate a character string that the user enters but does
not appear on the screen, such as a password.
[]
Default responses to system prompts are in square brackets.
!#
An exclamation point (!) or a pound sign (#) at the beginning of a line
of code indicates a comment line.
Reader Alert Conventions
This document uses the following conventions for reader alerts:
Note
Tip
Caution
Timesaver
Warning
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Means the following information will help you solve a problem, or could be some useful information.
Means reader be careful. In this situation, you might do something that could result in equipment damage
or loss of data.
Means the described action saves time. You can save time by performing the action described in the
paragraph.
Means reader be warned. In this situation, you might perform an action that could result in bodily
injury.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
v
Preface
Related Documentation
Related Documentation
Release-Specific Documents
General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentation
is available on Cisco.com at http://www.cisco.com/c/en/us/support/security/identity-services-engine/
tsd-products-support-series-home.html.
Table 1: Product Documentation for Cisco Identity Services Engine
Release Notes for Cisco Identity Services Engine,
Release 1.2
http://www.cisco.com/en/US/products/ps11640/prod_
release_notes_list.html
Cisco Identity Services Engine Network Component http://www.cisco.com/en/US/products/ps11640/
Compatibility, Release 1.2
products_device_support_tables_list.html
Cisco Identity Services Engine User Guide, Release http://www.cisco.com/en/US/products/ps11640/
1.2
products_user_guide_list.html
Cisco Identity Services Engine Sponsor Portal User
Guide, Release 1.2
Cisco Identity Services Engine Hardware Installation http://www.cisco.com/en/US/products/ps11640/prod_
Guide, Release 1.2
installation_guides_list.html
Cisco Identity Services Engine Upgrade Guide,
Release 1.2
Cisco Identity Services Engine, Release 1.2 Migration
Tool Guide
Regulatory Compliance and Safety Information for
Cisco Identity Services Engine 3400 Series Appliance
and Cisco 3400 Secure Access Control System
Cisco Identity Services Engine CLI Reference Guide, http://www.cisco.com/en/US/products/ps11640/prod_
Release 1.2
command_reference_list.html
Cisco Identity Services Engine API Reference Guide,
Release 1.2
Cisco Identity Services Engine In-Box Documentation http://www.cisco.com/en/US/products/ps11640/
and China RoHS Pointer Card
products_documentation_roadmaps_list.html
Platform-Specific Documents
Links to other platform-specific documentation are available at the following locations:
Cisco Identity Services Engine Upgrade Guide, Release 1.2
vi
OL-27087-01
Preface
Obtaining Documentation and Submitting a Service Request
Table 2: Platform-Specific Documents
Cisco ISE
http://www.cisco.com/en/US/products/ps11640/tsd_
products_support_series_home.html
Cisco NAC Appliance
http://www.cisco.com/en/US/products/ps6128/tsd_
products_support_series_home.html
Cisco NAC Guest Server
http://www.cisco.com/en/US/products/ps10160/tsd_
products_support_series_home.html
Cisco NAC Profiler
http://www.cisco.com/en/US/products/ps8464/tsd_
products_support_series_home.html
Cisco Secure Access Control System
http://www.cisco.com/en/US/products/ps9911/tsd_
products_support_series_home.html
Cisco UCS C-Series Servers
http://www.cisco.com/en/US/docs/unified_computing/
ucs/overview/guide/UCS_rack_roadmap.html
Obtaining Documentation and Submitting a Service Request
For information about obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and
set content to be delivered directly to your desktop by using a reader application. The RSS feeds are a free
service, and Cisco currently supports RSS Version 2.0.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
vii
Preface
Obtaining Documentation and Submitting a Service Request
Cisco Identity Services Engine Upgrade Guide, Release 1.2
viii
OL-27087-01
CHAPTER
1
Upgrading Cisco ISE
Cisco Identity Services Engine (ISE) supports application upgrades only from the command-line Interface
(CLI). You can upgrade Cisco ISE from any previous release to the next release. A previous release can
have patches installed on it, or it can be any maintenance release.
• Instructions for Upgrading to Cisco ISE, Release 1.2.1, page 1
• Important Notes To Read Before You Upgrade, page 2
• Obtain a Backup Before Upgrade to Prevent Any Data Loss, page 5
• Cisco ISE 1.2 Upgrade Process, page 9
• Cisco ISE 1.2 Supported Upgrade Paths, page 10
• Downloading the Upgrade Software, page 11
• Upgrade CLI Command, page 11
• Upgrade Methods for Different Types of Deployments, page 11
• Verify the Upgrade Process, page 12
• Post-Upgrade Tasks, page 12
• Known Upgrade Issues, page 13
Instructions for Upgrading to Cisco ISE, Release 1.2.1
You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:
• Cisco ISE, Release 1.1.0.665 with patch 5 or later
• Cisco ISE, Release 1.1.1.268 with patch 7 or later
• Cisco ISE, Release 1.1.2 with patch 10 or later
• Cisco ISE, Release 1.1.3 with patch 11 or later
• Cisco ISE, Release 1.1.4 with patch 11 or later
• Cisco ISE, Release 1.2.0.899 with patch 8 or later
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
1
Upgrading Cisco ISE
Important Notes To Read Before You Upgrade
The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twice
when you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but only
once when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.
The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options.
You can use:
• Cleanup—To clean a previously prepared upgrade bundle on a node locally. You can use this option
if:
• The application upgrade prepare command was interrupted for some reason
• The application upgrade prepare command was run with an incorrect upgrade bundle
• The upgrade failed for some reason
• Prepare—To download and extract an upgrade bundle locally. You can use this command followed by
the application upgrade proceed command.
• Proceed—To upgrade Cisco ISE using the upgrade bundle you extracted with the prepare option. You
can use this option after preparing an upgrade bundle instead of using the application upgrade
ise-upgradebundle-1.2-to-1.2.1.xxx.i386.tar.gz remote-repository command.
◦If upgrade is successful, this option removes the upgrade bundle.
◦If upgrade fails for any reason, this option retains the upgrade bundle.
Important Notes To Read Before You Upgrade
• Ensure that you do not accidently delete system default sponsor groups and sponsor group policies when
you upgrade Cisco ISE, Release 1.0.4.573 to higher versions (for example, Cisco ISE, Release 1.1, 1.1.x,
and 1.2) or restore from the Cisco ISE, Release 1.0.4.573 backup to higher versions. Upgrade fails, if
system default sponsor groups and sponsor group policies are missing in Cisco ISE.
• Ensure that you uncheck the Disable user account after <60> days if password was not changed (valid
range 1 to 3650) option here: Administration > Identity Management > Setttings > User Password
Policy page. Users are disabled, if the password expires after the default setting (60 days) when you
upgrade to Cisco ISE, Release 1.2 and restore the Cisco ISE, Release 1.1.x backup.
• You can upgrade only Administration, Policy Service, and Monitoring nodes. Upgrades are not supported
for Inline Posture Nodes (IPNs). For IPNs, you must reimage your appliance and perform a fresh
installation.
• We strongly recommend that you copy the upgrade bundle to a local repository on all the nodes. Having
the upgrade bundle in the local repository significantly reduces the time it takes to download it from the
network during the upgrade process.
1 Create a local repository for disk:/ from the Cisco ISE UI.
2 Copy the upgrade bundle to the local disk using the copy command from the Cisco ISE CLI: copy
ftp-filepath ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk:/
Again, after you copy the upgrade bundle to the local disk, check to ensure that the size of the upgrade
bundle in your local disk is the same as it is in the repository. Use the dir command to verify the
size of the upgrade bundle in the local disk.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
2
OL-27087-01
Upgrading Cisco ISE
Firewall Ports That Must be Open for Communication
• Verify the MD5sum of the upgrade bundle. After you download the upgrade bundle to a repository such
as FTP or SFTP, check and verify that the MD5sum is correct. You can use the md5sum command in
Linux or the md5 command in MAC OSX.
• Ensure that you have read the VMware Virtual Machine Settings, on page 4 section if you are upgrading
Cisco ISE on a virtual machine. These recommendations are useful when you choose to reimage some
nodes, in case of replacing nodes with new VMs or appliances and also if there are any secondary node
upgrade failures where remediation is not possible.
Firewall Ports That Must be Open for Communication
If you have a firewall deployed between your primary Administration node and any other node, the following
ports must be open before you upgrade:
• TCP 1521—For communication between the primary administration node and monitoring nodes.
• TCP 443—For communication between the primary administration node and all other secondary nodes.
• TCP 12001—For global cluster replication.
• TCP 7800 and 7802—(Applicable only if the policy service nodes are part of a node group) For PSN
group clustering.
For a full list of ports that Cisco ISE uses, see the Cisco Identity Services Engine Hardware Installation Guide.
Other Preupgrade Considerations
Read the following information carefully, and record these configurations (back up, export, obtain screenshots)
wherever possible before you begin an upgrade:
• Read the Data Restoration Guidelines from the Cisco Identity Services Engine User Guide, Release 1.2
before you restore data on your newly upgraded node.
• Perform a backup of Cisco ISE configuration data from the primary Administration node, which includes
the Cisco Application Deployment Engine (ADE) configuration data.
• Perform a backup of the Cisco ISE operational data from the primary Monitoring node.
• Export the certificates, including the private key, from all the nodes in the deployment and save them
in a local system. Ensure that the Common Name (CN) or SAN in the HTTPS and EAP certificates for
each of your Cisco ISE node matches the Fully Qualified Domain Name of that node.
• Obtain a backup of the running configuration using the copy running-config destinationcommand from
the Cisco ISE CLI, where destination is a url such as ftp, sftp, or disk:
• Ensure that you have the Active Directory credentials if you are using Active Directory as your external
identity source. After an upgrade, you might lose Active Directory connections. If this happens, you
must rejoin Cisco ISE with Active Directory.
• Export the default profiler policies to a file and import them after an upgrade if you have edited and
customized the default profiler policies. The upgrade process overwrites the default profiler policies.
• Record the customization that you have done to the default language templates. After upgrade, you must
edit the default language templates if you have customized them in the old deployment.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
3
Upgrading Cisco ISE
VMware Virtual Machine Settings
• Record the alarm, e-mail settings, report customization, favorite reports, monitoring data backup schedules,
and data purge settings. You must reconfigure these settings after upgrade.
• Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable them
after upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled and
onboarded again.
• Record the SNMP profiler probe settings. You must reconfigure the profiler SNMP polling from the
primary Administration node after upgrade if you are using it for profiling.
• Disable the console timeout temporarily from the Cisco ISE CLI for remote upgrades. Use the following
command from the Cisco ISE CLI: terminal session-timeout 0. After you disable the console timeout,
log out and log in to the Cisco ISE CLI. After upgrade is complete, ensure that the terminal session
timeout is set to its original value. The default value is 30 minutes.
• We strongly recommend that you delay any deployment configuration changes such as changing node
personas, system synchronization, and node registration or deregistration until all the nodes in your
deployment are completely upgraded. One exception to this recommendation, however, involves steps
that are required to recover from a failed upgrade.
• The Monitoring node's database size is reduced after you upgrade to Release 1.2 because of database
design and schema changes in Release 1.2, which optimizes disk space utilization and offers better
performance.
• The upgrade process from Cisco ISE 1.1.x to 1.2 includes the operating system and application binary
upgrade from a 32-bit to a 64-bit system. During upgrade, the node is rebooted twice following the
database and operating system upgrade. After the second reboot, the 64-bit application binaries are
installed and the database is migrated to the 64-bit system. During this process, you can monitor the
progress of the upgrade from the CLI using the show application status ise command. The following
message appears: "% NOTICE: Identity Services Engine upgrade is in progress..."
Related Topics
Cisco Identity Services Engine User Guide, Release 1.2
Cisco Identity Services Engine CLI Reference Guide, Release 1.2
VMware Virtual Machine Settings
If you are upgrading nodes on virtual machines, ensure that you read the following statements carefully. You
should make these changes before you upgrade to Release 1.2.
Note
You must power down the virtual machine before you make the following changes, and power it back on
after the changes are done.
• Cisco ISE, Release 1.2, is a 64-bit system. Ensure that your virtual machine's hardware is compatible
with 64-bit systems. See the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
for more information. Enable BIOS settings that are required for 64-bit systems. Refer to the VMware
Knowledge Base for hardware and firmware requirements for 64-bit guest operating systems. After you
upgrade to Release 1.2, choose Linux as the Guest Operating System and Red Hat Enterprise Linux 5
(64-bit) as the version. See the VMware Knowledge Base for more information.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
4
OL-27087-01
Upgrading Cisco ISE
Time Taken for Upgrade
• You can also increase the CPU and memory size of the virtual machine. Refer to Cisco Identity Services
Engine Hardware Installation Guide, Release 1.2 for deployment sizing and scaling recommendations
for the SNS 3400 Series appliances. If you increase the disk size of a virtual machine, you cannot upgrade
so you must do a fresh installation of Release 1.2. After you install Release 1.2, you can check the CPU
and memory size using the show inventory command from the Cisco ISE CLI.
Time Taken for Upgrade
Upgrade Time Estimation
The following table provides an estimate of the amount of time it might take to upgrade Cisco ISE nodes.
Actual time taken for upgrade varies depending on a number of factors. Your production network continues
to function without any downtime during the upgrade process if you have multiple PSNs as part of a node
group. The data presented here is from a deployment with 25000 users and 250,000 endpoints.
Type of Deployment
Node Persona
Time Taken for Upgrade
Standalone (2000 endpoints)
Administration, Policy Service,
Monitoring
1 hour 20 minutes
Distributed (25,000 users and
250,000 endpoints)
Secondary Administration
2 hours
Monitoring
2 hours
Policy Service
2 hours
pxGrid
2 hours
Factors That Affect Upgrade Time
• Number of endpoints in your network
• Number of users and guest users in your network
• Amount of logs in a Monitoring or Standalone node
• Profiling service, if enabled
Note
Cisco ISE nodes on virtual machines might take a longer time to upgrade than physical appliances.
Obtain a Backup Before Upgrade to Prevent Any Data Loss
To prevent any data loss, you should perform an on-demand backup of the Cisco ISE Configuration and
Monitoring (operational) data before upgrade.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
5
Upgrading Cisco ISE
Performing an On-Demand Backup from the Cisco ISE User Interface
Performing an On-Demand Backup from the Cisco ISE User Interface
In the Cisco ISE user interface, you can perform an on-demand backup of the primary Administration node.
You must perform a backup of the Cisco ISE application and ADE-OS configuration data and monitoring
(operational) data. For backup and restore operations, the following repository types are not supported:
CD-ROM, HTTP, HTTPS, or TFTP. This is because, these repository types are read-only or the protocol does
not support file listing. In a distributed deployment, if the primary Administration and primary Monitoring
personas run on the same node (appliance or virtual machine), then you can use the local repository for the
backup. If they run on separate nodes (appliances or virtual machines), the local repository cannot be used
for the backup. You can use the CLI and GUI to create repositories, but for Cisco ISE, Release 1.2, it is
recommended to use the GUI due to the following reasons:
• Repositories that are created through the CLI are saved locally and do not get replicated to the other
deployment nodes. These repositories do not get listed in the repository GUI page.
• Repositories that are created on the primary Administration node through the GUI get replicated to the
other deployment nodes.
Before You Begin
• To perform the following task, you must be a Super Admin or System Admin.
• Before you perform this task, you should have a basic understanding of the type of data that can be
backed up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration and
Monitoring data.
• Before you perform this task, ensure that you have configured repositories. Refer to Cisco Identity
Services Engine User Guide, Release 1.2 for more details.
• When you perform a backup, do not change the role of a node or promote a node. Changing node roles
will shut down all the processes and might cause some inconsistency in data if a backup is running
concurrently. Wait for the backup to complete before you make any node role changes.
• Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISE
server startup configuration. You can use this startup configuration when you restore or troubleshoot
your Cisco ISE application from the backup and system logs. For more information about copying the
running configuration to the startup configuration, see the copy command in the Cisco Identity Services
Engine CLI Reference Guide, Release 1.2.
Note
Operational (Monitoring data) backup can be obtained only from the primary and secondary Monitoring
nodes.
Procedure
Step 1
Step 2
Step 3
Log in to the Cisco ISE administrative user interface.
Choose Administration > System > Maintenance.
Choose Data Management > Administration Node > Full Backup On Demand.
Choose Monitoring Node if you want to back up monitoring data.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
6
OL-27087-01
Upgrading Cisco ISE
Performing a Backup from the Cisco ISE CLI
Step 4
Step 5
Step 6
Enter the values as required to perform a backup.
Click Backup Now.
Verify that the backup completed successfully.
Cisco ISE appends the backup filename with the timestamp and stores this file in the specified repository.
Check if your backup file exists in the repository that you have specified.
Performing a Backup from the Cisco ISE CLI
To perform a backup of the Cisco ISE configuration or operational data from the Cisco ISE CLI and place
the backup in a repository, enter the backup command in EXEC mode.
Before You Begin
• To perform the following task, you must be a Super Admin or System Admin.
• Before you perform this task, you should have a basic understanding of the type of data that can be
backed up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration and
Monitoring data.
• Before you perform this task, ensure that you have configured repositories. Refer to Cisco Identity
Services Engine User Guide, Release 1.1.x for more details.
• When you perform a backup, do not change the role of a node or promote a node. Changing node roles
will shut down all the processes and might cause some inconsistency in data if a backup is running
concurrently. Wait for the backup to complete before you make any node role changes.
• Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISE
server startup configuration. You can use this startup configuration when you restore or troubleshoot
Cisco ISE from the backup and system logs. For more information about copying the running configuration
to the startup configuration, see the copy command in Cisco Identity Services Engine CLI Reference
Guide, Release 1.1.x.
Note
Operational backups can be obtained only from the primary and secondary Monitoring nodes.
For backup and restore operations, the following repository types are not supported: CD-ROM, HTTP,
HTTPS, or TFTP. This is because, these repository types are read-only or the protocol does not support
file listings.
In a distributed deployment, if the primary Administration and primary Monitoring personas run on the
same node (appliance or virtual machine), then you can use the local repository for the backup. If they
run on separate nodes (appliances or virtual machines), the local repository cannot be used for the backup.
Procedure
To obtain Cisco ISE configuration data, enter the backup command with the ise-config command operator
parameter in the CLI of the primary Administration node in your old deployment. To obtain Cisco ISE
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
7
Upgrading Cisco ISE
Performing a Backup from the Cisco ISE CLI
operational (monitoring and troubleshooting) data, enter the backup command with the ise-operational
command operator parameter in the CLI of the primary or secondary Monitoring node in your old deployment.
CLI command to obtain a Cisco ISE configuration backup.
backup backup-name repository repository-name ise-config encryption-key{hash | plain}
encryption-keyname
CLI command to obtain a Cisco ISE operational backup.
backup backup-name repository repository-name ise-operational encryption-key{hash | plain}
encryption-keyname
The following table provides the syntax description:
backup-name
Name of the backup file. Supports up to 100
alphanumeric characters.
repository
Specifies the repository to store the backup file.
repository-name
Name and location of the repository where the files
should be backed up to. Supports up to 80
alphanumeric characters.
ise-config
(Optional) Backs up Cisco ISE configuration data
(includes Cisco ISE ADE-OS configuration data).
ise-operational
(Optional) Backs up only Cisco ISE operational
(monitoring and troubleshooting) data. You can only
specify this command operator parameter on the
primary and secondary Monitoring nodes.
encryption-key
Specifies an encryption key to protect the backup.
hash
Specifies a hashed encryption key to protect the
backup.
plain
Specifies a plaintext encryption key to protect the
backup. Specifies an unencrypted plaintext encryption
key that follows. Supports up to 15 characters in
length. for backup.
encryption-key name
Name of the encryption key in hash | plain format.
Supports up to 40 characters for hashed encryption
and 15 characters for plaintext encryption.
The backup command performs a backup of the Cisco ISE and ADE-OS configuration data and monitoring
data and places the backup in a repository with an encrypted (hashed) or unencrypted plaintext password.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
8
OL-27087-01
Upgrading Cisco ISE
Cisco ISE 1.2 Upgrade Process
You can encrypt and decrypt the backup by using a user-defined encryption key.
ise/admin# backup mybackup repository myrepository ise-config encryption-key plain Lab12345
% Creating backup with timestamped filename: backup-111125-1252.tar.gpg
ise/admin#
ise/admin# backup mybackup repository myrepository ise-operational encryption-key plain
Lab12345
% Creating backup with timestamped filename: backup-111125-1235.tar.gpg
ise/admin#
Related Topics
Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x
Cisco ISE 1.2 Upgrade Process
You can upgrade to Cisco ISE, Release 1.2, only from the Cisco ISE command-line interface (CLI). For
instructions on upgrading standalone or two-node deployments, see "Chapter 2, Upgrading Standalone and
Two-Node Deployments to Release 1.2". For instructions on upgrading a distributed deployment, see "Chapter
3, Upgrading a Distributed Deployment to Cisco ISE, Release 1.2".
The upgrade process for a standalone node is different than the one for upgrading nodes in a deployment.
When you run the application upgrade command from the Cisco ISE CLI, the following tasks are performed
in the background in each of the nodes:
1 Downloads the upgrade bundle and extracts it.
2 Performs a backup of the configuration database (for automatic rollback in case of recoverable failures).
3 Upgrades the configuration database or downloads a dump of the upgraded configuration database (in the
case of a standalone node).
4 Upgrades the monitoring database.
5 Upgrades the operating system and application binary files.
6 Migrates the database from a 32-bit to a 64-bit system.
7 After a successful upgrade, prompts the user to log in to Cisco ISE, Release 1.2.
For distributed deployments, the upgrade process follows a Split Deployment model. After you upgrade the
secondary Administration node to the new release, Cisco ISE creates a new deployment. The secondary
Administration node from the old deployment becomes the primary Administration node in the new deployment.
When you upgrade the rest of the nodes in the old deployment, they join the new deployment.
When you upgrade the secondary Administration node from the old deployment, it saves the old deployment
configuration and also notifies the primary Administration node of the upgrade. The primary Administration
node in the old deployment notifies the other nodes about the upgrade. After upgrade, the nodes from the old
deployment join the primary Administration node in the new deployment. The upgrade process retains licenses
and certificates. You do not have to reinstall or reimport them. Cisco ISE, Release 1.2, supports license files
with two-node unique device identifiers (UDIs). You can request for a new license with the UDI of both the
primary and secondary Administration nodes. See the Cisco Identity Services Engine Hardware Installation
Guide for details.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
9
Upgrading Cisco ISE
Cisco ISE 1.2 Supported Upgrade Paths
Note
To upgrade to Cisco ISE, Release 1.2, you do not have to deregister the nodes from the deployment and
register them to the new deployment as was the case in previous releases. When you run the application
upgrade command from the CLI, the upgrade software deregisters the node and registers it to the new
deployment automatically.
The upgrade fails if you make any node persona changes in the old deployment after you start the upgrade
on the secondary Administration node.
You must first upgrade the secondary Administration node. Then, upgrade the primary Monitoring node,
followed by the Policy Service nodes and Inline Posture nodes, respectively. Next, upgrade the secondary
Monitoring node (if you have one in your old deployment). Finally, upgrade the primary Administration node
from your old deployment. For Policy Service nodes, the database schema is not upgraded. Instead, the Policy
Service nodes get a copy of the new database from the primary Administration node in the new deployment.
Cisco ISE 1.2 Supported Upgrade Paths
You can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
• Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
• Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
• Cisco ISE, Release 1.1.2, with the latest patch applied
• Cisco ISE, Release 1.1.3, with the latest patch applied
• Cisco ISE, Release 1.1.4, with the latest patch applied
The following table lists the Cisco ISE versions and what you need to do to upgrade to Cisco ISE, Release
1.2, from those versions.
Table 3: Upgrade Roadmap
From Version
Cisco ISE, Release 1.0 or 1.0.x
Upgrade Path
1 Upgrade to Cisco ISE, Release 1.1.0.
2 Apply the latest patch for Cisco ISE, Release 1.1.0.
3 Upgrade to Cisco ISE, Release 1.2.
Cisco ISE, Release 1.1
1 Apply the latest patch for Cisco ISE, Release 1.1.0.
2 Upgrade to Cisco ISE, Release 1.2.
Cisco ISE, Release 1.1.x
1 Apply the latest patch for Cisco ISE, Release 1.1.x.
2 Upgrade to Cisco ISE, Release 1.2.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
10
OL-27087-01
Upgrading Cisco ISE
Downloading the Upgrade Software
Downloading the Upgrade Software
To download the upgrade bundle (ise-upgradebundle-x.x.x.x.i386.tar.gz) from Cisco.com:
Procedure
Command or Action
Purpose
Step 1
Go to http://www.cisco.com/go/ise. You
must already have valid Cisco.com login
credentials to access this link.
Step 2
Click Download Software for this
Product.
Step 3
Download the upgrade bundle.
Download
ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz
to upgrade from Release 1.1.x to Release 1.2.
Download
ise-upgradebundle-1.2.0.899.x86_64.tar.gz to
upgrade from the Limited Availability Release to
Release 1.2.
Upgrade CLI Command
You can upgrade directly from the Cisco ISE CLI. This option allows you to install the new Cisco ISE software
on the appliance and simultaneously upgrade configuration and monitoring information databases.
To use the application upgrade command from the Cisco ISE CLI, enter:
application upgrade application-bundle repository-name
• application-bundle is the name of the application bundle to upgrade the Cisco ISE application.
• repository-name is the name of the repository.
When you upgrade or restore Cisco ISE Monitoring nodes from the older versions of Cisco ISE to Release
1.2, the active sessions are not retained and are reset to 0.
Related Topics
Upgrading a Two-Node Deployment, on page 20
Performing a Backup to Prevent Data Loss During Upgrade
Upgrade Methods for Different Types of Deployments
Before you proceed with an upgrade, we recommend that you review the following chapters in this document
for information about how to perform an upgrade on the following different types of deployments:
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
11
Upgrading Cisco ISE
Verify the Upgrade Process
• Standalone and two-node deployments
• Distributed deployments
Related Topics
Upgrading a Two-Node Deployment, on page 20
Upgrading a Distributed Deployment, on page 24
Verify the Upgrade Process
To verify if an upgrade is successful, do one of the following:
• Check the ade.log file for the upgrade process. To display the ade.log file, enter the following command
from the Cisco ISE CLI: show logging system ade/ADE.log
• Enter the show version command to verify the build version.
• Enter the show application status ise command to verify that all the services are running.
We recommend that you run some network tests to ensure that the deployment functions as expected and that
users are able to authenticate and access resources on your network.
If upgrade fails because of configuration database issues, the changes are rolled back automatically. Refer to
Chapter 4, "Recovering from Cisco ISE Upgrade Failures" for more information.
Post-Upgrade Tasks
Note
If you have recently upgraded to Cisco ISE 1.3, perform the post-upgrade tasks listed in the Cisco Identity
Services Upgrade Guide, Release 1.3.
Refer to Cisco Identity Services Engine User Guide, Release 1.2, for details about each of these tasks.
• Check if the local and Certificate Authority (CA) certificates are available. Reimport them, if necessary.
• Reconfigure your backup schedules (configuration and operational). Scheduled backups configured in
the old deployment are lost during upgrade.
• Join Cisco ISE with Active Directory again, if you use Active Directory as your external identity source
and connection to Active Directory is lost.
• Reset the RSA node secret if you use RSA SecurID server as your external identity source.
• Perform a posture update from the primary Administration node after upgrade if you have enabled the
Posture service.
• Check and import custom profiler policies. If you changed the default profiler policies, the upgrade
process overwrites the changes.
• Check profiling probe configurations and reconfigure them, if necessary.
• Customize default language templates after upgrade. If you had customized the default language templates
in the old deployment, the upgrade process overwrites the changes.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
12
OL-27087-01
Upgrading Cisco ISE
Known Upgrade Issues
• Reconfigure profiler SNMP polling. This configuration is lost during an upgrade.
• After upgrade, the OUI entries might be missing in the database, which might result in the endpoints
matching incorrect authorization policies. Run the feed service to update the OUI.
• In previous releases of Cisco ISE, guest user records were available in the Internal Users database. Cisco
ISE, Release 1.2 introduces a Guest Users database, which is different than the Internal Users database.
If you have added the Internal Users database to your identity source sequence, the Guest Users database
also becomes part of your identity source sequence. If guest user login is not applicable, remove the
Guest Users database from the identity source sequence.
• Reconfigure e-mail settings, favorite reports, and data purge settings.
• Check the threshold and/or filters for specific alarms that you need. All the alarms are enabled by default
after an upgrade.
• Customize reports based on your needs. If you had customized the reports in the old deployment, the
upgrade process overwrites the changes that you made.
• The operational (monitoring and troubleshooting) data purge has changed in Cisco ISE, Release 1.2.
Purge settings default to 90 days. Some of the logs are purged within 24 hours of upgrading to the new
deployment. Check the dashboard to see if you are viewing data for the previous 24 hours. You can also
check the reports and live logs as well. Ensure that you obtain a backup of all the monitoring (operational)
data that you need.
Known Upgrade Issues
This section lists some of the known upgrade issues with workarounds. Refer to the Open Caveats section in
the Release Notes for Cisco Identity Services Engine, Release 1.2 for more details.
Upgrading Secondary Nodes From Limited Availability Release to Release 1.2
Fails
Problem This issue occurs only when you upgrade secondary nodes from the Limited Availability Release to
Cisco ISE, Release 1.2.
Possible Cause This issue is seen when you have backup schedules configured in Cisco ISE.
Solution Disable or cancel the backup schedules before you upgrade to Release 1.2.
Scheduled Backup Configurations Are Lost
Problem This issue occurs after you upgrade to Release 1.2 from earlier releases. Even though you backed up
the configuration data before upgrade and restored it in Cisco ISE, Release 1.2, the scheduled backup
configurations are lost.
Solution You must reconfigure the scheduled backups in Cisco ISE, Release 1.2.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
13
Upgrading Cisco ISE
Browser Cache Issues
Browser Cache Issues
Problem This issue occurs if you are using the same browser to access Cisco ISE before and after the upgrade.
Solution You must clear your browser cache after upgrade to access Cisco ISE, Release 1.2.
Active Directory Join Issues
Problem If you use Active Directory as your external identity store, after you upgrade to Release 1.2, Cisco
ISE will no longer be joined to the Active Directory domain.
Solution You must rejoin the nodes to the Active Directory domain from the Active Directory pages of the
Cisco ISE user interface.
RSA Connection Is Lost
Problem If you use RSA SecurID Server as your external identity source, the RSA SecurID server connection
might be lost after an upgrade.
Solution Reset the RSA node secret from the primary Administration node. Refer to Cisco Identity Services
Engine User Guide, Release 1.2, for more details.
New Users or Endpoints Added to the Old Deployment During Upgrade Are
Lost
Problem Guest users or endpoints that are added to the old deployment when the new deployment is formed
are lost.
Solution Ensure that you disable services such as Guest, Profiler, Device Onboarding, and so on before an
upgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devices
must be profiled and onboarded again.
Profiler SNMP Polling Configuration Is Lost
Problem Profiler SNMP polling configuration is lost after an upgrade.
Solution You must reconfigure profiler SNMP polling from the Cisco ISE, Release 1.2 primary Administration
node after an upgrade. Refer to the Cisco Identity Services Engine User Guide, Release 1.2, for more
information.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
14
OL-27087-01
Upgrading Cisco ISE
Default Language Template Customization Is Lost
Default Language Template Customization Is Lost
Problem If you have edited the default language templates, the changes that you have made are lost after an
upgrade.
Solution Customize the default language templates again after the upgrade.
CLI Password Policy is Lost During Upgrade
Problem This issue occurs when you upgrade to Cisco ISE, Release 1.2.
Possible Cause In Cisco ISE, Release 1.2, the GUI and CLI password policies are unified and replicated
to all nodes.
Solution After you upgrade to Release 1.2, configure the password policy from the Cisco ISE Admin portal
(Administration > System > Admin Access > Password Policy).
Posture Updates Are Overwritten
Problem During an upgrade, the operating system list for posture is updated, which might affect posture rules.
Solution After upgrade, from the primary Administration user interface, choose Administration > System >
Settings > Posture > Updates. Check the Cisco supported OS version. If it is set to 0.0.0.0, perform a posture
update.
Manifest Error While Running Upgrade
Problem You might see a "manifest error" when you try to upgrade ISE with an application bundle that was
downloaded using Apple Safari web browser from Cisco.com.
Possible Cause The upgrade file is decompressed after the download. By default, the Apple Safari web
browser opens "safe files" after a download. This setting decompresses the upgrade bundle after download
and causes the manifest error during upgrade.
Solution Uncheck the "open safe files after downloading" option under Preferences in the Apple Safari web
browser.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
15
Upgrading Cisco ISE
Manifest Error While Running Upgrade
Cisco Identity Services Engine Upgrade Guide, Release 1.2
16
OL-27087-01
CHAPTER
2
Upgrading Standalone and Two Node
Deployments to Cisco ISE, Release 1.2
The upgrade software allows you to upgrade to Release 1.2 from the Command-Line Interface (CLI).
• Upgrading a Cisco ISE Standalone Node to Release 1.2, page 17
• Replacing an Earlier Version Standalone Appliance with an Appliance Running Release 1.2, page 19
• Upgrading a Two-Node Deployment, page 20
Upgrading a Cisco ISE Standalone Node to Release 1.2
You can execute the application upgrade command from the CLI on a standalone node that assumes the
Administration, Policy Service, and Monitoring personas.
Before You Begin
• Perform an on-demand backup of the configuration data from the standalone node.
• Perform an on-demand backup of the monitoring data from the standalone node using the administrative
user interface.
Procedure
Enter the application upgrade command from the Cisco ISE CLI.
This command internally upgrades the application binaries, the Database schema, and the datamodel module.
It also handles upgrading any Cisco Application Deployment Engine operating system (ADE-OS) updates.
If a system reload is required to complete the upgrade process, the node is restarted automatically following
a successful upgrade.
After the upgrade is complete, if the Cisco ISE node contains old Monitoring logs, ensure that you run the
application configure ise command and choose 11 (Refresh M&T Database Statistics).
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
17
Upgrading Standalone and Two Node Deployments to Cisco ISE, Release 1.2
Upgrading a Cisco ISE Standalone Node to Release 1.2
The CLI transcript for a successful upgrade on a standalone node should look like the following:
ise-vm29/admin# application upgrade ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz myrepository
Save the current ADE-OS running configuration? (yes/no) [yes] ?
################################################################
Upgrading ISE to 1.2.0.899
################################################################
yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
STEP 1: Stopping ISE application...
STEP 2: Taking backup of the configuration data...
STEP 3: Running ISE configuration DB schema upgrade...
ISE Database schema upgrade completed.
STEP 4: Running ISE configuration data upgrade...
- Data upgrade step 1/79, ConfiguratorUpgradeService(1.2.0.155)... Done in 2 seconds.
- Data upgrade step 2/79, NSFUpgradeService(1.2.0.180)... Done in 0 seconds.
- Data upgrade step 3/79, GuestUpgradeService(1.2.0.195)... Done in 1 seconds.
- Data upgrade step 4/79, ProfilerUpgradeService(1.2.0.196)... Done in 9 seconds.
- Data upgrade step 5/79, SystemConfigUpgradeService(1.2.0.201)... Done in 0 seconds.
- Data upgrade step 6/79, NSFUpgradeService(1.2.0.217)... Done in 0 seconds.
- Data upgrade step 7/79, NSFUpgradeService(1.2.0.224)... Done in 3 seconds.
- Data upgrade step 8/79, GuestUpgradeService(1.2.0.225)... Done in 0 seconds.
- Data upgrade step 9/79, NSFUpgradeService(1.2.0.229)... Done in 0 seconds.
- Data upgrade step 10/79, ProfilerUpgradeService(1.2.0.256)... Done in 0 seconds.
- Data upgrade step 11/79, RBACUpgradeService(1.2.0.257)... Done in 34 seconds.
- Data upgrade step 12/79, ProfilerUpgradeService(1.2.0.257)...
.............................Done in 1764 seconds.
- Data upgrade step 13/79, GuestUpgradeService(1.2.0.263)... Done in 2 seconds.
- Data upgrade step 14/79, ProfilerUpgradeService(1.2.0.265)... Done in 0 seconds.
- Data upgrade step 15/79, GuestUpgradeService(1.2.0.268)... Done in 0 seconds.
- Data upgrade step 16/79, NSFUpgradeService(1.2.0.270)... Done in 0 seconds.
- Data upgrade step 17/79, DictionaryUpgradeRegistration(1.2.0.272)... Done in 26 seconds.
- Data upgrade step 18/79, GuestUpgradeService(1.2.0.276)... Done in 0 seconds.
- Data upgrade step 19/79, NSFUpgradeService(1.2.0.281)... Done in 1 seconds.
- Data upgrade step 20/79, GuestUpgradeService(1.2.0.290)... Done in 1 seconds.
- Data upgrade step 21/79, NSFUpgradeService(1.2.0.291)... Done in 2 seconds.
- Data upgrade step 22/79, NSFUpgradeService(1.2.0.298)... Done in 0 seconds.
- Data upgrade step 23/79, PolicySetUpgradeService(1.2.0.310)... Done in 4 seconds.
- Data upgrade step 24/79, GuestUpgradeService(1.2.0.311)... Done in 0 seconds.
- Data upgrade step 25/79, GlobalExceptionUpgradeRegistration(1.2.0.311)... Done in 1
seconds.
- Data upgrade step 26/79, GuestUpgradeService(1.2.0.319)... Done in 0 seconds.
- Data upgrade step 27/79, ProfilerUpgradeService(1.2.0.319)... Done in 1 seconds.
- Data upgrade step 28/79, NetworkAccessUpgrade(1.2.0.326)... Done in 0 seconds.
- Data upgrade step 29/79, GuestUpgradeService(1.2.0.341)... Done in 2 seconds.
- Data upgrade step 30/79, NSFUpgradeService(1.2.0.344)... Done in 0 seconds.
- Data upgrade step 31/79, RBACUpgradeService(1.2.0.344)... .Done in 77 seconds.
- Data upgrade step 32/79, NSFUpgradeService(1.2.0.349)... Done in 0 seconds.
- Data upgrade step 33/79, AuthzUpgradeService(1.2.0.351)... Done in 0 seconds.
- Data upgrade step 34/79, RegisterPostureTypes(1.2.0.363)... ...............Done in 903
seconds.
- Data upgrade step 35/79, NSFUpgradeService(1.2.0.366)... Done in 2 seconds.
- Data upgrade step 36/79, NetworkAccessUpgrade(1.2.0.366)... Done in 11 seconds.
- Data upgrade step 37/79, GuestUpgradeService(1.2.0.370)... Done in 1 seconds.
- Data upgrade step 38/79, NSFUpgradeService(1.2.0.379)... Done in 0 seconds.
- Data upgrade step 39/79, AuthzUpgradeService(1.2.0.391)... Done in 0 seconds.
- Data upgrade step 40/79, GuestUpgradeService(1.2.0.400)... Done in 0 seconds.
- Data upgrade step 41/79, NSFUpgradeService(1.2.0.420)... Done in 0 seconds.
- Data upgrade step 42/79, NSFUpgradeService(1.2.0.430)... Done in 0 seconds.
- Data upgrade step 43/79, RBACUpgradeService(1.2.0.445)... .Done in 62 seconds.
- Data upgrade step 44/79, GuestUpgradeService(1.2.0.478)... Done in 0 seconds.
- Data upgrade step 45/79, RBACUpgradeService(1.2.0.481)... Done in 3 seconds.
- Data upgrade step 46/79, CertMgmtUpgradeService(1.2.0.485)... Done in 2 seconds.
- Data upgrade step 47/79, ProfilerUpgradeService(1.2.0.495)... Done in 0 seconds.
- Data upgrade step 48/79, RBACUpgradeService(1.2.0.496)... Done in 21 seconds.
- Data upgrade step 49/79, NSFUpgradeService(1.2.0.500)... Done in 0 seconds.
- Data upgrade step 50/79, NetworkAccessUpgrade(1.2.0.585)... Done in 4 seconds.
- Data upgrade step 51/79, GuestUpgradeService(1.2.0.618)... Done in 1 seconds.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
18
OL-27087-01
Upgrading Standalone and Two Node Deployments to Cisco ISE, Release 1.2
Replacing an Earlier Version Standalone Appliance with an Appliance Running Release 1.2
- Data upgrade step 52/79, NetworkAccessUpgrade(1.2.0.621)... Done in 2 seconds.
- Data upgrade step 53/79, NSFUpgradeService(1.2.0.624)... Done in 5 seconds.
- Data upgrade step 54/79, NetworkAccessUpgrade(1.2.0.625)... Done in 0 seconds.
- Data upgrade step 55/79, VendorUpgradeRegistration(1.2.0.638)... Done in 0 seconds.
- Data upgrade step 56/79, CertMgmtUpgradeService(1.2.0.665)... Done in 2 seconds.
- Data upgrade step 57/79, ProfilerUpgradeService(1.2.0.700)... Done in 0 seconds.
- Data upgrade step 58/79, RegisterPostureTypes(1.2.0.706)... Done in 1 seconds.
- Data upgrade step 59/79, NetworkAccessUpgrade(1.2.0.708)... Done in 0 seconds.
- Data upgrade step 60/79, GuestUpgradeService(1.2.0.716)... Done in 1 seconds.
- Data upgrade step 61/79, NetworkAccessUpgrade(1.2.0.716)... Done in 0 seconds.
- Data upgrade step 62/79, RegisterPostureTypes(1.2.0.728)... Done in 1 seconds.
- Data upgrade step 63/79, NSFUpgradeService(1.2.0.729)... Done in 0 seconds.
- Data upgrade step 64/79, AuthzUpgradeService(1.2.0.729)... Done in 3 seconds.
- Data upgrade step 65/79, GuestUpgradeService(1.2.0.737)... Done in 0 seconds.
- Data upgrade step 66/79, NetworkAccessUpgrade(1.2.0.738)... Done in 0 seconds.
- Data upgrade step 67/79, GuestUpgradeService(1.2.0.747)... Done in 13 seconds.
- Data upgrade step 68/79, NSFUpgradeService(1.2.0.754)... Done in 1 seconds.
- Data upgrade step 69/79, RBACUpgradeService(1.2.0.757)... .Done in 83 seconds.
- Data upgrade step 70/79, NetworkAccessUpgrade(1.2.0.762)... Done in 0 seconds.
- Data upgrade step 71/79, NetworkAccessUpgrade(1.2.0.764)... Done in 0 seconds.
- Data upgrade step 72/79, NetworkAccessUpgrade(1.2.0.774)... Done in 0 seconds.
- Data upgrade step 73/79, NSFUpgradeService(1.2.0.775)... Done in 0 seconds.
- Data upgrade step 74/79, NSFUpgradeService(1.2.0.826)... Done in 0 seconds.
- Data upgrade step 75/79, GuestUpgradeService(1.2.0.852)... .......Done in 435 seconds.
- Data upgrade step 76/79, ProfilerUpgradeService(1.2.0.866)... Done in 0 seconds.
- Data upgrade step 77/79, CertMgmtUpgradeService(1.2.0.873)... Done in 0 seconds.
- Data upgrade step 78/79, NSFUpgradeService(1.2.0.881)... Done in 0 seconds.
- Data upgrade step 79/79, GuestUpgradeService(1.2.0.882)... Done in 2 seconds.
STEP 5: Running ISE configuration data upgrade for node specific data...
STEP 6: Running ISE MnT DB upgrade...
Upgrading Session Directory...
Completed.
- Mnt Schema Upgrade completed, executing sanity check...
% Mnt Db Schema Sanity success
Generating Database statistics for optimization ....
- Preparing database for 64 bit migration...
% NOTICE: The appliance will reboot twice to upgrade software and ADE-OS to 64 bit. During
this time progress of the upgrade is visible on console. It could take up to 30 minutes
for this to complete.
Rebooting to do Identity Service Engine upgrade...
What to Do Next
• After you upgrade from Cisco ISE, Release 1.1.1 patch 3, or Cisco ISE, Maintenance Release 1.1.2, to
Cisco ISE, Release 1.2, you may be unable to use the SFTP repository until you accept the host key by
using the crypto host_key add host sftp-server-name command.
• After you upgrade to Cisco ISE, Release 1.2, recreate all backup schedules because older jobs will not
work properly.
• If there is any failure during the upgrade of application binaries and the Cisco ADE-OS, you should
reimage and install the previous version and restore the backup.
Related Topics
Cisco Identity Services Engine CLI Reference Guide, Release 1.2
Replacing an Earlier Version Standalone Appliance with an
Appliance Running Release 1.2
This upgrade scenario is required only if you are upgrading Cisco ISE, Release 1.1.x, to Release 1.2 at the
same time that you are replacing an existing Cisco ISE appliance.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
19
Upgrading Standalone and Two Node Deployments to Cisco ISE, Release 1.2
Upgrading a Two-Node Deployment
Before You Begin
Perform a backup of the Cisco ISE 1.1.x, configuration and monitoring data from the primary Administration
node in the old deployment. Obtain a license based on the Unique Device Identifier (UDI) of the new SNS-3400
Series appliance.
Note
If you do not want to upgrade but do a fresh install of Cisco ISE, Release 1.2, you can install and set up
the new appliance, and then restore or configure your data manually.
Procedure
Step 1
Step 2
Step 3
Step 4
Set up the new Cisco ISE, Release 1.2 appliance. Refer to the Cisco Identity Services Engine Hardware
Installation Guide, Release 1.2 for details.
Install the new license on the Cisco ISE, Release 1.2 appliance.
From the Cisco ISE CLI, restore the configuration and monitoring data from the backup that you obtained.
After you restore the data, you must wait for all the application-server processes to start and run.
To verify that the Cisco ISE application-server processes are running, enter the following command from the
Cisco ISE CLI:
show application status ise
Related Topics
Cisco Identity Services Engine User Guide, Release 1.2
Cisco Identity Services Engine CLI Reference Guide, Release 1.2
Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
Upgrading a Two-Node Deployment
Use the application upgrade command to upgrade a two-node deployment to Release 1.2. You do not have
to manually deregister the node and register it again. The upgrade software automatically deregisters the node
and moves it to the new deployment. When you upgrade a two-node deployment to Cisco ISE, Release 1.2,
you should initially upgrade only the secondary Administration node (Node B). When the secondary node
Cisco Identity Services Engine Upgrade Guide, Release 1.2
20
OL-27087-01
Upgrading Standalone and Two Node Deployments to Cisco ISE, Release 1.2
Upgrading a Two-Node Deployment
upgrade is complete, you upgrade the primary node (Node A). If you have a deployment set up as shown in
the following figure, you can proceed with this upgrade procedure.
Figure 1: Cisco ISE, Release 1.1.x, Two-Node Administrative Deployment
Before You Begin
• Perform an on-demand backup (manually) of the configuration and operational data from the primary
Administration node.
• If the Administration persona is enabled only on the primary Administration node, you must enable the
Administration persona on the secondary Administration node before you begin the upgrade procedure
because the upgrade process requires the secondary node to be upgraded first.
• If there is only one Administration node in your two-node deployment, then deregister the secondary
node. Both the nodes become standalone nodes. Upgrade both the nodes as standalone nodes and set up
the deployment after upgrading to Release 1.2.
• If the Monitoring persona is enabled only on one of the nodes, ensure that you enable the Monitoring
persona on the other node before you proceed.
Procedure
Step 1
Upgrade the secondary node (Node B) to Cisco ISE, Release 1.2, from the CLI.
The upgrade process automatically removes Node B from the deployment and upgrades it to Release 1.2.
Node B becomes the primary node when it restarts.
Step 2
Upgrade Node A to Release 1.2.
The upgrade process automatically registers Node A to the deployment and makes it the secondary node.
Step 3
Promote Node A to be the primary node in the new deployment.
If you want to retain Node B as your primary node, you must obtain a license that includes the UDI of both
the primary and secondary Administration nodes. Refer to the Cisco Identity Services Engine Hardware
Installation Guide, Release 1.2 for information on how to obtain a license.
After the upgrade is complete, if the nodes that were upgraded to Release 1.2 contain old Monitoring logs,
ensure that you run the application configure ise command and choose 11 (Refresh M&T Database Statistics)
on those nodes.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
21
Upgrading Standalone and Two Node Deployments to Cisco ISE, Release 1.2
Upgrading a Two-Node Deployment
Related Topics
Upgrade Methods for Different Types of Deployments, on page 11
Upgrade CLI Command, on page 11
Cisco Identity Services Engine Upgrade Guide, Release 1.2
22
OL-27087-01
CHAPTER
3
Upgrading a Distributed Deployment to Cisco
ISE, Release 1.2
This chapter describes how you can upgrade your distributed deployment to Cisco ISE, Release 1.2.
• Distributed Deployment Upgrade, page 23
• Replacing Old Appliances with ISE 3400 Series Appliances, page 32
Distributed Deployment Upgrade
A typical Cisco ISE distributed deployment consists of primary and secondary Administration and Monitoring
nodes, several Policy Service nodes, and an IPN node as shown in the following figure.
Figure 2: Cisco ISE, Release 1.1.x, Administrative Deployment
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
23
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Upgrading a Distributed Deployment
To upgrade a distributed deployment similar to the one shown in the above figure, follow the procedure
described below.
Upgrading a Distributed Deployment
When upgrading to Cisco ISE, Release 1.2, first upgrade the secondary Administration node to Release 1.2.
For example, if you have a deployment set up as shown in Figure 2, with one primary Administration node
(Node A), one secondary Administration node (Node B), one Inline Posture node (IPN) (Node C), and four
Policy Service nodes (PSNs) (Node D, Node E, Node F, and Node G), one primary Monitoring node ( Node
H), and one secondary Monitoring node (Node I), you can proceed with the following upgrade procedure.
Note
You do not have to manually deregister the node before an upgrade. Use the application upgrade command
to upgrade nodes to Release 1.2. The upgrade process deregisters the node automatically and moves it to
the new deployment. If you manually deregister the node before an upgrade, ensure that you have the
license file for the Primary Administration node before beginning the upgrade process. If you do not have
the file on hand (if your license was installed by a Cisco partner vendor, for example), contact the Cisco
Technical Assistance Center for assistance.
Before You Begin
• If you do not have a secondary Administration node in the deployment, configure one Policy Service
node to be the secondary Administration node before beginning the upgrade process.
• Perform an on-demand backup (manually) of the configuration and ADE-OS data from the primary
Administration node.
• Perform an on-demand backup of the Monitoring data.
• Record the IPN configuration before the upgrade, so that you can reconfigure the IPN after the upgrade.
You can do this by manually noting the configuration details or taking screen shots of the existing
configuration from the IPN user interface.
• When you upgrade a complete Cisco ISE deployment, Domain Name System (DNS) server resolution
(both forward and reverse lookups) is mandatory; otherwise, the upgrade fails.
Procedure
Step 1
Upgrade the secondary Administration node (Node B) from the CLI.
The upgrade process automatically deregisters Node B from the deployment and upgrades it to Release 1.2.
Node B becomes the primary node of the new deployment when it restarts. Because each deployment requires
at least one Monitoring node, the upgrade process enables the Monitoring persona on Node B even if it was
not enabled on this node in the old deployment. If the Policy Service persona was enabled on Node B in the
old deployment, this configuration is retained after upgrading to the new deployment.
Step 2
Upgrade one of your Monitoring nodes (Node H) to the new deployment.
We recommend that you upgrade your primary Monitoring node before the secondary Monitoring node (this
is not possible if your primary Administration node in the old deployment functions as your primary Monitoring
node as well). Your primary Monitoring node starts to collect the logs from the new deployment and you can
view the details from the primary Administration node dashboard.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
24
OL-27087-01
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Upgrading a Distributed Deployment
If you have only one Monitoring node in your old deployment, before you upgrade it, ensure that you enable
the Monitoring persona on Node A, which is the primary Administration node in the old deployment. Node
persona changes result in a Cisco ISE application restart. Wait for Node A to come up before you proceed.
Upgrading the Monitoring node to the new deployment takes longer than the other nodes because operational
data has to be moved to the new deployment.
If Node B, the primary Administration node in the new deployment, did not have the Monitoring persona
enabled in the old deployment, disable the Monitoring persona on it. Node persona changes result in a Cisco
ISE application restart. Wait for the primary Administration node to come up before you proceed.
Step 3
Upgrade the Policy Service nodes (Nodes D, E, F, and G) to Cisco ISE, Release 1.2, from the CLI. You can
upgrade several PSN nodes in parallel, but if you upgrade all the PSNs concurrently, your network will
experience a downtime.
After the upgrade, the PSNs are registered with the primary node of the new deployment (Node B), and the
data from the primary node (Node B) is replicated to all the PSNs. The PSNs retain their personas, node group
information, and profiling probe configurations.
Step 4
Step 5
Step 6
Step 7
Step 8
Deregister the IPN node (Node C) from the primary Administration node.
Reimage the IPN appliance (Node C).
Install the IPN 1.2 ISO on the reimaged IPN node (Node C).
Register the IPN node (Node C) to the primary Administration node (node B) of the new deployment.
If you have a second Monitoring node (Node I) in your old deployment, you must do the following:
a) Enable the Monitoring persona on Node A, which is the primary node in your old deployment.
A deployment requires at least one Monitoring node. Before you upgrade the second Monitoring node
from the old deployment, enable this persona on the primary node itself. Node persona changes result in
a Cisco ISE application restart. Wait for the primary ISE node to come up again.
b) Upgrade the secondary Monitoring node (Node I) from the old deployment to the new deployment.
Except for the primary Administration node (Node A), you must have upgraded all the other nodes to the new
deployment.
Step 9
Finally, upgrade the primary Administration node (Node A) to Cisco ISE, Release 1.2.
This node will be upgraded to Release 1.2 and added to the new deployment as a secondary Administration
node. You can promote the secondary Administration node (Node A) to be the primary node in the new
deployment. If you want to retain Node B as your primary node, you must obtain a license that includes the
UDI of both the primary and secondary Administration nodes.
After the upgrade is complete, if the Monitoring nodes that were upgraded to Release 1.2 contain old logs,
ensure that you run the application configure ise command and choose 11 (Refresh M&T Database Statistics)
on the Monitoring nodes.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
25
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Upgrading a Distributed Deployment
After upgrade, your new deployment will be similar to the one shown in the figure below:
Figure 3: Complete Deployment Upgraded to Release 1.2
CLI Transcripts of Successful Upgrades
Here is an example CLI transcript of a successful secondary Administration node upgrade.
ise74/admin# application upgrade ise-upgradebundle-1.2.x-to-1.3.0.853.x86_64.tar.gzmyrepository
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Getting bundle to local machine...
md5: 1cef2635004342aa94e8ed24158047ba
sha256: 9e434762b3fd2578a803571aedd0c9565f8aac65faec239ff279a02772f709cc
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ?
Unbundling Application Package...
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
STEP 1: Stopping ISE application...
STEP 2: Verifying files in bundle...
-Internal hash verification passed for bundle
STEP 3: Validating data before upgrade...
STEP 4: De-registering node from current deployment.
STEP 5: Taking backup of the configuration data...
STEP 6: Running ISE configuration DB schema upgrade...
- Running db sanity check to fix index corruption, if any...
ISE Database schema
STEP 7: Running ISE
- Data upgrade step
- Data upgrade step
- Data upgrade step
- Data upgrade step
- Data upgrade step
- Data upgrade step
- Data upgrade step
upgrade completed.
configuration data upgrade...
1/71, NSFUpgradeService(1.2.1.127)... Done in 0 seconds.
2/71, NetworkAccessUpgrade(1.2.1.127)... Done in 0 seconds.
3/71, GuestUpgradeService(1.2.1.146)... Done in 0 seconds.
4/71, NetworkAccessUpgrade(1.2.1.148)... Done in 2 seconds.
5/71, NetworkAccessUpgrade(1.2.1.150)... Done in 3 seconds.
6/71, NSFUpgradeService(1.2.1.181)... Done in 0 seconds.
7/71, NSFUpgradeService(1.3.0.100)... Done in 0 seconds.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
26
OL-27087-01
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Upgrading a Distributed Deployment
- Data upgrade step 8/71, RegisterPostureTypes(1.3.0.170)... Done in 0 seconds.
- Data upgrade step 9/71, ProfilerUpgradeService(1.3.0.187)... Done in 5 seconds.
- Data upgrade step 10/71, GuestUpgradeService(1.3.0.194)... Done in 2 seconds.
- Data upgrade step 11/71, NetworkAccessUpgrade(1.3.0.200)... Done in 0 seconds.
- Data upgrade step 12/71, GuestUpgradeService(1.3.0.208)... Done in 2 seconds.
- Data upgrade step 13/71, GuestUpgradeService(1.3.0.220)... Done in 0 seconds.
- Data upgrade step 14/71, RBACUpgradeService(1.3.0.228)... Done in 24 seconds.
- Data upgrade step 15/71, NetworkAccessUpgrade(1.3.0.230)... Done in 4 seconds.
- Data upgrade step 16/71, GuestUpgradeService(1.3.0.250)... Done in 0 seconds.
- Data upgrade step 17/71, NetworkAccessUpgrade(1.3.0.250)... Done in 0 seconds.
- Data upgrade step 18/71, RBACUpgradeService(1.3.0.334)... Done in 18 seconds.
- Data upgrade step 19/71, RBACUpgradeService(1.3.0.335)... Done in 17 seconds.
- Data upgrade step 20/71, ProfilerUpgradeService(1.3.0.360)... ...Done in 217 seconds.
- Data upgrade step 21/71, ProfilerUpgradeService(1.3.0.380)... Done in 3 seconds.
- Data upgrade step 22/71, NSFUpgradeService(1.3.0.401)... Done in 0 seconds.
- Data upgrade step 23/71, NSFUpgradeService(1.3.0.406)... Done in 0 seconds.
- Data upgrade step 24/71, NSFUpgradeService(1.3.0.410)... Done in 1 seconds.
- Data upgrade step 25/71, RBACUpgradeService(1.3.0.423)... Done in 0 seconds.
- Data upgrade step 26/71, NetworkAccessUpgrade(1.3.0.424)... Done in 0 seconds.
- Data upgrade step 27/71, RBACUpgradeService(1.3.0.433)... Done in 1 seconds.
- Data upgrade step 28/71, EgressUpgradeService(1.3.0.437)... Done in 0 seconds.
- Data upgrade step 29/71, NSFUpgradeService(1.3.0.438)... Done in 0 seconds.
- Data upgrade step 30/71, NSFUpgradeService(1.3.0.439)... Done in 0 seconds.
- Data upgrade step 31/71, CdaRegistration(1.3.0.446)... Done in 2 seconds.
- Data upgrade step 32/71, RBACUpgradeService(1.3.0.452)... Done in 26 seconds.
- Data upgrade step 33/71, NetworkAccessUpgrade(1.3.0.458)... Done in 0 seconds.
- Data upgrade step 34/71, NSFUpgradeService(1.3.0.461)... Done in 0 seconds.
- Data upgrade step 35/71, CertMgmtUpgradeService(1.3.0.462)... Done in 2 seconds.
- Data upgrade step 36/71, NetworkAccessUpgrade(1.3.0.476)... Done in 0 seconds.
- Data upgrade step 37/71, TokenUpgradeService(1.3.0.500)... Done in 1 seconds.
- Data upgrade step 38/71, NSFUpgradeService(1.3.0.508)... Done in 0 seconds.
- Data upgrade step 39/71, RBACUpgradeService(1.3.0.509)... Done in 25 seconds.
- Data upgrade step 40/71, NSFUpgradeService(1.3.0.526)... Done in 0 seconds.
- Data upgrade step 41/71, NSFUpgradeService(1.3.0.531)... Done in 0 seconds.
- Data upgrade step 42/71, MDMUpgradeService(1.3.0.536)... Done in 0 seconds.
- Data upgrade step 43/71, NSFUpgradeService(1.3.0.554)... Done in 0 seconds.
- Data upgrade step 44/71, NetworkAccessUpgrade(1.3.0.561)... Done in 2 seconds.
- Data upgrade step 45/71, CertMgmtUpgradeService(1.3.0.615)... Done in 0 seconds.
- Data upgrade step 46/71, CertMgmtUpgradeService(1.3.0.616)... Done in 22 seconds.
- Data upgrade step 47/71, CertMgmtUpgradeService(1.3.0.617)... Done in 2 seconds.
- Data upgrade step 48/71, OcspServiceUpgradeRegistration(1.3.0.617)... Done in 0 seconds.
- Data upgrade step 49/71, NSFUpgradeService(1.3.0.630)... Done in 0 seconds.
- Data upgrade step 50/71, NSFUpgradeService(1.3.0.631)... Done in 0 seconds.
- Data upgrade step 51/71, CertMgmtUpgradeService(1.3.0.634)... Done in 0 seconds.
- Data upgrade step 52/71, RBACUpgradeService(1.3.0.650)... Done in 8 seconds.
- Data upgrade step 53/71, CertMgmtUpgradeService(1.3.0.653)... Done in 0 seconds.
- Data upgrade step 54/71, NodeGroupUpgradeService(1.3.0.655)... Done in 1 seconds.
- Data upgrade step 55/71, RBACUpgradeService(1.3.0.670)... Done in 4 seconds.
- Data upgrade step 56/71, ProfilerUpgradeService(1.3.0.670)... Done in 0 seconds.
- Data upgrade step 57/71, ProfilerUpgradeService(1.3.0.675)...
...............................Done in 1896 seconds.
- Data upgrade step 58/71, NSFUpgradeService(1.3.0.676)... Done in 2 seconds.
- Data upgrade step 59/71, AuthzUpgradeService(1.3.0.676)... Done in 16 seconds.
- Data upgrade step 60/71, GuestAccessUpgradeService(1.3.0.676)... ..............Done in
874 seconds.
- Data upgrade step 61/71, NSFUpgradeService(1.3.0.694)... Done in 0 seconds.
- Data upgrade step 62/71, ProvisioningRegistration(1.3.0.700)... Done in 0 seconds.
- Data upgrade step 63/71, RegisterPostureTypes(1.3.0.705)... Done in 0 seconds.
- Data upgrade step 64/71, CertMgmtUpgradeService(1.3.0.727)... Done in 0 seconds.
- Data upgrade step 65/71, CertMgmtUpgradeService(1.3.0.808)... Done in 1 seconds.
- Data upgrade step 66/71, NSFUpgradeService(1.3.0.810)... Done in 2 seconds.
- Data upgrade step 67/71, GuestAccessUpgradeService(1.3.0.832)... Done in 0 seconds.
- Data upgrade step 68/71, RBACUpgradeService(1.3.0.834)... Done in 33 seconds.
- Data upgrade step 69/71, ProfilerUpgradeService(1.3.0.844)... Done in 0 seconds.
- Data upgrade step 70/71, GuestAccessUpgradeService(1.3.0.853)... Done in 0 seconds.
- Data upgrade step 71/71, ProvisioningUpgradeService(1.3.105.181)... ..Done in 125 seconds.
STEP 8: Running ISE configuration data upgrade for node specific data...
STEP 9: Making this node PRIMARY of the new deployment. When other nodes are upgraded it
will be added to this deployment.
STEP 10: Running ISE M&T DB upgrade...
ISE Database Mnt schema upgrade completed.
Gathering Config schema(CEPM) stats .....
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
27
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Upgrading Inline Posture Nodes in a Distributed Deployment
Gathering Operational schema(MNT) stats .....
Stopping ISE Database processes...
% NOTICE: The appliance will reboot twice to upgrade software and ADE-OS. During this time
progress of the upgrade is visible on console. It could
take up to 30 minutes for this to complete.
Rebooting to do Identity Service Engine upgrade...
Here is an example CLI transcript of a successful PSN (or Monitoring) node upgrade.
ise-vm31/admin#
application upgrade ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz myrepository
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
STEP 1: Stopping ISE application...
STEP 2: De-registering node from current deployment.
STEP 3: Taking backup of the configuration data...
STEP 4: Registering this node to primary of new deployment...
STEP 5: Downloading configuration data from primary of new deployment...
STEP 6: Importing configuration data...
STEP 7: Running ISE configuration data upgrade for node specific data...
STEP 8: Running ISE MnT DB upgrade...
Upgrading Session Directory...
Completed.
- Mnt Schema Upgrade completed, executing sanity check...
% Mnt Db Schema Sanity success
Generating Database statistics for optimization ....
- Preparing database for 64 bit migration...
% NOTICE: The appliance will reboot twice to upgrade software and ADE-OS to 64 bit. During
this time progress of the upgrade is visible on console. It
could take up to 30 minutes for this to complete.
Rebooting to do Identity Service Engine upgrade...
Related Topics
Upgrade Methods for Different Types of Deployments, on page 11
Upgrading Inline Posture Nodes in a Distributed Deployment
You cannot directly upgrade Inline Posture nodes to Cisco ISE, Release 1.2. You must reimage the Cisco ISE
3300 Series appliance and install the ISE-IPN 1.2 ISO on it. This section describes the procedure to upgrade
IPN nodes to Release 1.2.
Before You Begin
• Ensure that you have the ISE-IPN 1.2 ISO image.
• If you have an IPN high-availability pair in your deployment, cancel the high-availability pair before
you deregister the IPN nodes from the Cisco ISE, Release 1.1.x, deployment.
• Record all configuration data for the IPN node before you deregister the node. Alternatively, you can
save screen shots of each of the IPN tabs (from the primary administrative user interface) to record the
data. Having this data on hand, speeds up the process of reregistering the IPN node.
Procedure
Step 1
Deregister the IPN node from the primary Administration node.
You can verify that the IPN node has returned to Cisco ISE node status by going to the CLI and entering the
following command: show application status ise. If you discover that the node has not reverted, then you
Cisco Identity Services Engine Upgrade Guide, Release 1.2
28
OL-27087-01
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Upgrading Inline Posture Nodes in a Distributed Deployment
can enter the following at the command prompt: pep switch outof-pep. However, it is recommended that
you only do this as a last resort.
Step 2
Reimage the Cisco ISE 3300 Series appliance. Refer to the Cisco Identity Services Engine Hardware Installation
Guide, Release 1.2, for more information.
Step 3
Install the ISE-IPN 1.2 ISO image on the appliance. Refer to the Cisco Identity Services Engine Hardware
Installation Guide, Release 1.2, for more information.
Configure the certificates from the IPN node CLI.
Register the node as an IPN node to the primary Administration node and reconfigure it.
Confirm the IPN settings and save your configuration.
Step 4
Step 5
Step 6
Related Topics
Downloading the Upgrade Software, on page 11
Configuring Certificates for Inline Posture Nodes, on page 30
Cisco Identity Services Engine User Guide, Release 1.2
Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
Upgrading an Active-Standby Pair of IPN Nodes in a Distributed Deployment
To upgrade an active-standby pair of Inline Posture nodes to Release 1.2, you must first cancel the
high-availability pair and then reimage and install the ISE-IPN 1.2 ISO image on the nodes.
Procedure
Step 1
Step 2
Log in to the primary Administration node.
Cancel the active-standby high-availability pair.
a) Choose Administration > System > Deployment.
b) Check the check box next to the active IPEP node and click Edit.
c) Click the Failover tab.
d) Uncheck the HA Enabled check box.
e) Click Save.
Step 3
Step 4
Click Save.
Deregister the IPN nodes from the primary Administration node.
You can verify that the IPN node has returned to Cisco ISE node status by going to the CLI and entering the
following command: show application status ise. If you discover that the node has not reverted, then you
can enter the following at the command prompt: pep switch outof-pep. However, it is recommended that
you only do this as a last resort.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
29
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Configuring Certificates for Inline Posture Nodes
Step 5
Reimage the standalone IPN nodes. Refer to the Cisco Identity Services Engine Hardware Installation Guide,
Release 1.2, for more information.
Step 6
Install the ISE-IPN 1.2 ISO image on the IPN nodes. Refer to the Cisco Identity Services Engine Hardware
Installation Guide, Release 1.2, for more information.
Step 7 Configure certificates on the IPN nodes from the CLI.
Step 8 Register the IPN nodes to the primary Administration node.
Step 9 Reconfigure the IPN nodes with an active-standby pair.
Step 10 Confirm the IPN settings and save your configuration.
Related Topics
Cisco Identity Services Engine User Guide, Release 1.2
Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
Configuring Certificates for Inline Posture Nodes
After you have installed the ISE-IPN 1.2 ISO image on any of the supported appliance platforms and run the
setup program, you must configure certificates for Inline Posture nodes before you can add them to the
deployment.
Before You Begin
• The IPN node must be certified from the same CA that has certified the primary Administration node.
• You can configure Inline Posture node certificates only from the command-line interface (CLI).
• If you wish to deploy an active-standby pair of Inline Posture nodes, you must configure the certificates
on both the active and standby Inline Posture nodes.
Procedure
Step 1
Step 2
Step 3
Step 4
Log in to the Inline Posture node through the CLI.
Generate a certificate signing request (CSR) for the IPN node.
Download the signed certificate in the DER or base64 format, and copy it to an FTP server.
Enter the following command from the Inline Posture node CLI:
pep certificate server add
Step 5
Enter y for the application to restart.
Step 6
Enter y to bind the certificate to the last CSR.
Step 7
Enter the name of the CA-signed certificate. The IPN application restarts. You can now register this IPN node
with the primary Administration node.
Related Topics
Cisco Identity Services Engine User Guide, Release 1.2
Cisco Identity Services Engine Upgrade Guide, Release 1.2
30
OL-27087-01
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Configuring Certificates for Inline Posture Nodes
Generating a Certificate Signing Request for an Inline Posture Node
Before you can add an IPN to the Cisco ISE deployment, the IPN must be certified from the same CA that
certified the primary Administration node.
Before You Begin
You must log in to the CLI of the IPN.
Procedure
Step 1
Enter the following command:
pep certificate server generatecsr
Step 2
Enter n to use an existing private key file with the CSR or enter y to generate a new one.
Step 3
Step 4
Step 5
Step 6
Step 7
Enter the desired key size.
Enter the type of digest that you want to sign the certificate with.
Enter a country code (2 letter code).
Enter state, city, organization, and organizational unit values.
Enter a Common Name. A Common Name is the same as your hostname. You must enter the fully qualified
domain name (FQDN). For example, if your hostname is IPEP1 and your DNS domain name is cisco.com,
you must enter IPEP1.cisco.com as your Common Name.
Enter your e-mail address.
Copy the entire block of text including the blank line after the END CERTIFICATE REQUEST tag (to include
the carriage return).
Step 8
Step 9
Step 10 Send the CSR to the CA that signed the primary Administration node’s certificate.
If you are using the Microsoft CA, choose Web Server as the Certificate Template while sending the signing
request.
For IPN nodes, only server authentication is supported in Release 1.2. If you use other CAs to sign
the certificate, ensure that the extended key usage specifies server authentication alone.
You will receive the signed certificate from the CA.
Note
What to Do Next
Download the signed certificate in DER or base64 format and copy it to an FTP server.
Copying a Signed Certificate to an FTP Server
Before You Begin
You must generate a certificate signing request (CSR) for the Inline Posture node and send it to the CA.
Procedure
Step 1
Enter the following command from the Inline Posture node CLI:
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
31
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Replacing Old Appliances with ISE 3400 Series Appliances
copy ftp:// a.b.c.d/ipep1.cer disk:
a.b.c.d is the ip address of the FTP server and ipep1.cer is the CA-signed certificate that you are adding to
the IPN node.
Step 2
Enter the username and password for the FTP server.
What to Do Next
Add the signed certificate to the Inline Posture node.
Replacing Old Appliances with ISE 3400 Series Appliances
This section describes how you can replace your existing old appliances with the Cisco ISE 3400 Series
appliances.
Replacing Some Existing Nodes with Appliances Running Release 1.2
This section describes what you should do if you want to replace some of the Cisco ISE 1.1.x nodes, with
new Cisco ISE, Release 1.2, appliances while upgrading to Release 1.2. You can configure only the
Administration and Monitoring nodes with primary and secondary roles for high availability. The Policy
Service nodes can be grouped together for load balancing and failover purposes.
Before You Begin
If you are replacing some of the appliances with new SNS-3400 Series appliances, obtain a license with the
UDI of the new SNS-3400 Series appliances that you are going to configure as the primary and secondary
Administration nodes.
Procedure
Step 1
Upgrade the existing secondary Administration node to Release 1.2.
This node automatically deregisters itself from the old deployment and becomes the primary Administration
node in the new deployment.
Step 2
Upgrade the Monitoring, Policy Service, Inline Posture, and primary Administration nodes to the new
deployment as described in the Upgrading Nodes in a Distributed Deployment section.
Deregister the nodes on old appliances that you want to replace.
Perform a fresh installation and register the new Cisco ISE, Release 1.2, appliances with the primary
Administration node in the new deployment. Refer to the Cisco Identity Services Engine Hardware Installation
Guide, Release 1.2, and Cisco Identity Services Engine User Guide, Release 1.2, for details.
Promote one of the new SNS-3400 Series appliances to be the new primary Administration ISE node. Install
the license that you have obtained with the UDI of the new appliance.
Step 3
Step 4
Step 5
Cisco Identity Services Engine Upgrade Guide, Release 1.2
32
OL-27087-01
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Replacing All Nodes with Appliances Running Release 1.2
Replacing All Nodes with Appliances Running Release 1.2
This section describes what you should do if you want to replace all the Cisco ISE, Release 1.1.x, nodes with
new SNS-3400 Series appliances while upgrading to Release 1.2. You can configure only the Administration
and Monitoring nodes with primary and secondary roles for high availability. The Policy Service nodes can
be grouped together for load balancing and failover purposes.
Before You Begin
Obtain a license with the UDI of the new SNS-3400 Series appliances that you are going to configure as the
primary and secondary Administration nodes.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Perform a backup of the Cisco ISE configuration and monitoring data.
Perform a fresh installation and configure one of the new SNS-3400 Series appliance to be the primary
Administration node in the new deployment. Refer to Cisco Identity Services Engine Hardware Installation
Guide, Release 1.2, for details.
Install the license based on the UDI of the new primary and secondary Administration nodes (SNS-3400
Series appliances) on the primary Administration node in the new deployment.
Restore the Cisco ISE configuration on the primary node in the new deployment.
On the appliance that you want to designate as the Monitoring node, perform a fresh installation, restore the
monitoring backup, and register it with the primary Administration node in the new deployment.
Perform a fresh installation and register the other SNS-3400 Series appliances with the primary Administration
node in the new deployment and configure them from the primary Administration node user interface. Refer
to Cisco Identity Services Engine Hardware Installation Guide, Release 1.2, and Cisco Identity Services
Engine User Guide, Release 1.2, for details.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
33
Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
Replacing All Nodes with Appliances Running Release 1.2
Cisco Identity Services Engine Upgrade Guide, Release 1.2
34
OL-27087-01
CHAPTER
4
Recover from Upgrade Failures
This section describes what you need to do while recovering from upgrade failures.
The upgrade software performs some validations. If upgrade fails, follow the instructions provided on screen
to recover and successfully upgrade to Release 1.2.
At times, upgrade fails because of not following the order in which the nodes have to be upgraded, such as
upgrading the secondary Administration node first. If you encounter this error, you can upgrade the deployment
again following the order of upgrade specified in this guide.
In rare cases, you might have to reimage, perform a fresh install, and restore data. So it is important that you
have a backup of Cisco ISE configuration and monitoring data before you start the upgrade. It is important
that you back up the configuration and monitoring data even though we automatically try to roll back the
changes in case of configuration database failures.
Note
Upgrade failures that happen because of issues in the monitoring database are not rolled back automatically.
You have to manually reimage your system, install Cisco ISE, Release 1.2, and restore the configuration
and monitoring data on it.
• Upgrade Failures, page 35
• Upgrade Fails During Binary Install, page 37
Upgrade Failures
This section describes some of the known upgrade errors and what you must do to recover from them.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
35
Recover from Upgrade Failures
Upgrade Failures
Note
You can check the upgrade logs from the CLI or the status of the upgrade from the console. Log in to the
CLI or view the console of the Cisco ISE node to view the progress of upgrade. You can use the show
logging application command from the Cisco ISE CLI to view the following logs (example filenames
are given in parenthesis):
• DB Data Upgrade Log (dbupgrade-data-global-20160308-154724.log)
• DB Schema Log (dbupgrade-schema-20160308-151626.log)
• Post OS Upgrade Log (upgrade-postosupgrade-20160308-170605.log)
Configuration and Data Upgrade Errors
During upgrade, the configuration database schema and data upgrade failures are rolled back automatically.
Your system returns to the last known good state. If this is encountered, the following message appears on
the console and in the logs:
% Warning: The node has been reverted back to its pre-upgrade state.
error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
% Application upgrade failed. Please check logs for more details or contact Cisco Technical
Assistance Center for support.
Remediation Errors
If you need to remediate an upgrade failure to get the node back to the original state, the following message
appears on the console. Check the logs for more information.
% Warning: Do the following steps to revert node to its pre-upgrade state."
error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
% Application upgrade failed. Please check logs for more details or contact Cisco Technical
Assistance Center for support.
Validation Errors
If there are any validation errors, which is not an actual upgrade failure, the following message appears. For
example, you might see this error if you attempt to upgrade a PSN before the secondary PAN is upgraded or
if the system does not meet the specified requirements. The system returns to the last known good state. If
you encounter this error, ensure that you perform the upgrade as described in this document.
STEP 1: Stopping ISE application...
% Warning: Cannot upgrade this node until the standby PAP node is upgraded and running. If
standbyPAP is already upgraded
and reachable ensure that this node is in SYNC from current Primary UI.
Starting application after rollback...
% Warning: The node has been reverted back to its pre-upgrade state.
error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
% Application upgrade failed. Please check logs for more details or contact Cisco Technical
Assistance Center for support.
Application Binary Upgrade Errors
If the ADE-OS or application binary upgrade fails, the following message appears when you run the show
application status ise command from the CLI following a reboot. You should reimage and restore the
configuration and operational backups.
% WARNING: An Identity Services Engine upgrade had failed. Please consult logs. You have
to reimage and restore to previous version.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
36
OL-27087-01
Recover from Upgrade Failures
Upgrade Fails During Binary Install
Other Types of Errors
For any other types of failures (including cancellation of the upgrade, disconnection of the console session,
power failure, and so on), you must reimage and restore the configuration and operational backup depending
on the personas enabled on the node originally.
Reimage
The term, reimage, refers to a fresh installation of Cisco ISE. For Monitoring database upgrade (schema +
data) errors, you must reimage and restore the configuration and operational backups. Before you reimage,
ensure that you generate a support bundle by running the backup-logs CLI command and place the support
bundle in a remote repository in order to help ascertain the cause of failure. You must reimage to the old or
new version based on the node personas:
• Secondary Administration Node—Reimage to the old version and restore the configuration and operational
backup.
• Monitoring Nodes—If the nodes are deregistered from the existing deployment, reimage to the new
version, register with the new deployment, and enable the Monitoring persona.
• All Other Nodes—If there are upgrade failures on the other nodes, the system usually returns to the last
known good state. If the system does not roll back to the old version, you can reimage to the new version,
register with the new deployment, and enable the personas as done in the old deployment.
Upgrade After Failure
In case of upgrade failures, before you try to upgrade again:
• Analyze the logs. Check the support bundle for errors.
• Identify and resolve the problem by submitting the support bundle that you generated to the Cisco
Technical Assistance Center (TAC).
Upgrade Progress
Note
Upgrade from Cisco ISE, Release 1.1.x, to 1.2 is a 32-bit to 64-bit upgrade. This process involves an
ADE-OS upgrade and application binary upgrade to 64-bit and the node is rebooted twice during this time.
You can view the progress of the upgrade by logging in via SSH and using the show application status
ise command. The following message appears: % NOTICE: Identity Services Engine upgrade is in
progress...
Upgrade Fails During Binary Install
Problem An application binary upgrade occurs after the database upgrade. If a binary upgrade failure happens,
the following message appears on the console and ADE.log:
% Application install/upgrade failed with system removing the corrupted install
Solution Before you attempt any roll back or recovery, generate a support bundle by using the backup-logs
command and place the support bundle in a remote repository.
Cisco Identity Services Engine Upgrade Guide, Release 1.2
OL-27087-01
37
Recover from Upgrade Failures
Upgrade Fails During Binary Install
To roll back, reimage the Cisco ISE appliance by using the previous ISO image and restore the data from the
backup file. You need a new upgrade bundle each time you retry an upgrade.
• Analyze the logs. Check the support bundle for errors.
• Identify and resolve the problem by submitting the support bundle that you generated to the Cisco
Technical Assistance Center (TAC).
Cisco Identity Services Engine Upgrade Guide, Release 1.2
38
OL-27087-01

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz