A Step-by-Step Guide to Upgrading Cisco ISE from 2.7 to 3.2

Introduction:
Cisco Identity Services Engine (ISE) plays a critical role in network security by providing centralized access control, policy management, and identity services. Regular updates and upgrades are essential to ensure your ISE deployment remains secure and efficient. In this blog post, we’ll walk you through the process of upgrading from Cisco ISE version 2.7 to 3.2, highlighting the steps and considerations to ensure a smooth transition.

Step 1: Pre-Upgrade Preparation
Before initiating the upgrade process, it’s crucial to perform a comprehensive pre-upgrade assessment. This involves:

1. Reviewing the Cisco ISE 3.2 release notes: Familiarize yourself with the new features, resolved issues, and any known limitations or caveats in the latest release.
2. Checking hardware and software requirements: Ensure that your hardware meets the minimum requirements for Cisco ISE 3.2. Also, verify compatibility with any integrated components such as Cisco AnyConnect, Cisco TrustSec, etc.
3. Backup: Take a full backup of your Cisco ISE 2.7 deployment, including configuration, certificates, and databases. This ensures that you can restore your environment in case of any unforeseen issues during the upgrade process.
4. License: Confirm that your existing licenses are compatible with Cisco ISE 3.2. If necessary, acquire and install additional licenses to support the upgrade.

Step 2: Upgrade Planning and Strategy
Once you’ve completed the pre-upgrade preparations, it’s time to develop a comprehensive upgrade plan. Consider the following factors:

1. Downtime: Determine an appropriate maintenance window for the upgrade process, minimizing disruption to network operations.
2. Rollback Plan: Define a rollback strategy in case the upgrade encounters unexpected issues. This may involve restoring from the backup taken in Step 1.
3. Communication: Notify relevant stakeholders about the upcoming upgrade, including IT teams, network administrators, and end-users. Provide information about the planned downtime and any expected impacts on network services.

Step 3: Upgrade Process
With the preparation and planning complete, it’s time to proceed with the upgrade:

Step 1

In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Upgrade.

Step 2

Click Proceed.The Review Checklist window appears. Read the given instructions carefully.

Step 3

Check the I have reviewed the checklist check box, and click Continue.The Download Bundle to Nodes window appears.

Step 4

Download the upgrade bundle from the repository to the nodes:Check the check box next to the nodes to which you want to download the upgrade bundle.Click Download.The Select Repository and Bundle window appears.Select the repository.You can select the same repository or different repositories on different nodes, but you must select the same upgrade bundle on all the nodes.Check the check box next to the bundle that you want to use for the upgrade.Click Confirm.Once the bundle is downloaded to the node, the node status changes to Ready for Upgrade.

Step 5

Click Continue.The Upgrade Nodes window appears.

Step 6

Choose the upgrade sequence.When you move a node to the new deployment, a time estimate for the upgrade is displayed on the Upgrade Nodes window. You can use this information to plan for upgrade and minimize downtime. Use the sequence given below if you have a pair of Administration and Monitoring Nodes, and several Policy Service Nodes.By default, the Secondary Administration Node is listed first in the upgrade sequence. After upgrade, this node becomes the Primary Administration Node in the new deployment.The Primary Monitoring Node is the next one in the sequence to be upgraded to the new deployment.Select the Policy Service Nodes and move them to the new deployment. You can alter the sequence in which the Policy Service Nodes are upgraded.You can upgrade the Policy Service Nodes in sequence or in parallel. You can select a set of Policy Service Nodes and upgrade them in parallel.Select the Secondary Monitoring Node and move it to the new deployment.Finally, select the Primary Administration Node and move it to the new deployment.

Step 7

Check the Continue with upgrade on failure check box if you want to continue with the upgrade even if the upgrade fails on any of the Policy Service Nodes in the upgrade sequence.This option is not applicable for the Secondary Administration Node and the Primary Monitoring Node. If any one of these nodes fail, the upgrade process is rolled back. If any of the Policy Service Nodes fail, the Secondary Monitoring Node and the Primary Administration Node are not upgraded and remain in the old deployment.

Step 8

Click Upgrade to begin the deployment upgrade.

The upgrade progress is displayed for each node. On successful completion, the node status changes to Upgrade Complete.

Note   

When you upgrade a node from the Admin portal, if the status does not change for a long time (and remains at 80%), you can check the upgrade logs from the CLI or the status of the upgrade from the console. Log in to the CLI or view the console of the Cisco ISE node to view the progress of upgrade. You can use the show logging application command to view the upgrade-uibackend-cliconsole.log and upgrade-postosupgrade-yyyymmdd-xxxxxx.log.You can view the following upgrade logs from the CLI using the show logging application command:DB Data Upgrade LogDB Schema LogPost OS Upgrade LogIn case you get a warning message: The node has been reverted back to its pre-upgrade state , go to the Upgrade window, click the Details link. Address the issues that are listed in the Upgrade Failure Details window. After you fix all the issues, click Upgrade to reinitiate the upgrade.

Note   

If the posture data update process is running on the Primary Administration Node in the new deployment, you cannot register a node to the Primary Administration Node. You can either wait till the posture update process is over (which might take approximately 20 minutes) or disable the posture auto-update feature from the Updates window while upgrading or registering a node to the new deployment. To view this window, click the Menu icon and choose Administration > System > Settings > Posture > Updates.

Step 4: Post-Upgrade Tasks
After successfully upgrading to Cisco ISE 3.2, there are several post-upgrade tasks to complete:

1. Update Documentation: Update your network documentation, including configuration files, diagrams, and procedures, to reflect the changes introduced by the upgrade.
2. Review Logs and Alerts: Monitor system logs and alerts for any signs of performance issues or configuration errors post-upgrade. Address any issues promptly to maintain the integrity of your network security posture.
3. Training and Knowledge Transfer: Provide training to relevant staff members on the new features and capabilities introduced in Cisco ISE 3.2. Ensure that administrators are familiar with any changes to the user interface or configuration options.

Conclusion:
Upgrading Cisco ISE from version 2.7 to 3.2 is a critical task that requires careful planning, preparation, and execution. By following the steps outlined in this guide and adhering to best practices, you can ensure a smooth and successful upgrade process, minimizing downtime and maintaining the security and efficiency of your network environment. Remember to consult the official Cisco documentation and seek assistance from Cisco support resources if you encounter any challenges during the upgrade journey.