ISE distributed deployment upgrade
My client has an ISE deployment with 4 nodes: primary and secondary Admin/coach and 2 Policy Server. Admin nodes are virtual machines, the policy nodes are 3315 devices.
The system was installed nearly three years with version 1.1.0... It seems that the system never had questions if never has been patched or upgraded. Why fix something that works well?
Today, that there was a problem because expired certificates, so the review to get the system in place and running again, the issue of the update bring the conversation. We love to upgrade to the latest supported version. So I wonder for a few tips and ideas for dealing with the planning of the upgrade.
I have some doubts:
3315 device can support version 1.3 without problems?
I know that the upgrade procedure is essentially the installation a .tar file, but I'm not clear how the process in a distributed deployment must be. I had run upgrades in stand-alone systems, but never in a distributed deployment. So I need to upgrade the main Admin only, and the other nodes would automatically improve?
I need to upgrade from 1.1 to 1.2 first, then 1.2 to 1.3?
I undertand version 1.1 is 32-bit, version 1.2 and 1.3 are 64-bit, so I guess that the process could take a long time (maybe a few hours), so a maintenance window would need 3 or 4 hours so that the whole system has become stable.
Can you give me some tips and suggestions to avoid the major problems?
Kind regards.
Daniel Escalante.
Hardware support and Personas for ISE 1.3 include 3315
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/Release_notes/ise1...
You can proceed to ISE 1.3 1.2 or 1.2.1
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/upgrade_guide/b_is...
Tags: Cisco Security
Similar Questions
-
ISE distributed deployment and license management
Hello
I have 2 x ISE-VM-K9 = licenses, and I want to deploy ISE mode Standalone with HA.
IE, have 2 boxes Node1 and Node2 each hosting all three personas and closely located in 1 data center.
so, I want to have a third box 3 node in a data center remotely (only for purpose of DR).
What is the best way to design it.
1. do you have nodes 1 and 3 in a host group and use as aaa primary and 2 secondary node
2 have Node1 and 2 in a local host group, then the host of another entity 3
I'm worried about the condition of licence of the 2nd option
Any thoughts?
concerning
Sergeant
Do you mean group of PSN node when you say "host group"?
Licenses-wise, all the nodes in a deployment of share ISE licenses installed on the Pan
-
Hi all
We have a primary and secondary headquarters in the United Kingdom and then larger branches in Europe and the United States. Total number of users is ~ 2500
What we're trying to do is to deploy a main node of admin services, monitoring and policy in HQ1, a secondary admin, the crux of the oversight and services in HQ2 and then political, policy services node in Europe and the United States. This deployment is supported? I have read the documentation for distributed deployments and he suggested to have nodes separate policing for all sites, however, I don't know if this is necessary in all scenarios such as ours.
Can someone please help
Hello
Ideally, the installer should work in WAN link. Just ensure less latency in the environment and network settings.
Please rate as correct if this can help!
Concerning
Gagan
-
Hello
on the WLC configuration for Management Server accounts Radius in distributed deployment of ISE, what server is the radius, the Service account management policy one or several nodes or the nodes in control?
As always, appreciate your reply.
Mike
Hi Mike,.
The WLC must be configured to send authentication and accounting for the PSN. Monitoring nodes are (among other functions) where newspapers PSN are transmitted to the.
see you soon,
SEB.
-
Postgrase vRA distributed deployment Configuration
Hello
We provide deployment distributed for vRA 6.2.2 and have question around the Postgres SQL Server implementation. Documentation talking about DB server between vRA device cluster. Does vRA mandatory distributed deployment requires vPostgres in cluster or can I separate a single instance of Postgres and post the two HRV to the same device.
We do not want cluster DB server unless it is mandatory for the vRA.
If only Postgres can meet the requirement, is there no specific configuration in DB let connect the two devices to HRV?
Yes, you can use simple Postgres and works without any problem. And there is no specific requirement as such. He usually recommendation to have Postgres clustered for HA.
-
Right way to restart the ISE PSN node in a distributed deployment
Hi all
Two of my ISE nodes (in a 1.2 8 node deployment) have expired admin CLI past (I know I'm stupid!)
One is the secondary node MnT and one is a PSN node (1 of 4).
I have some information on what I need to do to get a new password, but I have to unregister the nodes first or can I restart them.
Will be my other three nodes PSN automatically re - authenticate users on PSN restart node or should I ask the downtime?
Thanks for any help in advance
Mark
Right, shouldn't be a problem. You certainly wouldn't want to remove it - you'd only if you need to reimage or something like that.
Just as a tip, if you speak only use wireless cases, you could always disable this particular NHP since authentication Radius and Radius Accounting servers in the world (not over the WLAN). If you make a change to the WLAN, it will "bounce" the WLAN. But, if globally disable you "admin" that particular NHP, it will keep just the WLC as NHPS by up to that turn you it on again.
Tim
-
Change password for local administrator on Cisco ISE in distributed deployment
Hi guys,.
I managed four ISEs of Cisco in a distributed environment.
First ISE is the Admin, second ISE is followed, the third and fourth are the PSN.
We use local authentication. We want to change the password for the admin user name.
-What does that by a lucky break the connection between the ISEs or will be the new password pushed to each of them?
There is no possibility to change the passwords on the PSN as the administration tab is not available.
I know that when I create a new user, he's pushed all ISEs.
Thank you.
Serge.
Serge,
Good question. Once I read this question, I had to know, so I tried this in my lab.
I changed the admin password and change successfully, I had to connect to ISE using the new password. Then I noticed on my dashboard to my node communication school admin and my PSN was green. YAY. I went to the page of deployments and could access the configurations for the nodes.
Trust, I logged the secondary node using the NEW PASSWORD. So, Yes, not only communication does NOT break, the new password is pushed down to all nodes.
Please rate useful messages and mark this question as answered if, in fact, does that answer your question. Otherwise, feel free to post additional questions.
Charles Moreton
-
not able to open ISE GUI post upgrade
Hello
We have Setup EHT on VM.
We recently did an upgrade. After upgrade, the App has been working fine until recently, we are not able to get the open GUI of ISE.
It says cannot display the page regardless of the browser that we use.
Curiously, of ISE background operations are working well.
On chrome, I get the reason: ERR connection reset.
on FF even
on IE it says to restart the modem or the firewall (nothing between the two though).
I'm not sure how to proceed on this
someone at - he had similar problem and has a solution please help.
Thanks in advance.
Nick
Output: initialization of the Server Application indicates that for the ISE application server service failed to start / jammed at initialization. I came across this problem before. You can try the following:
1. from issue CLI:
application stop iseapplication start ise
Wait 15-20 min, then recheck both the GUI and the CLI 2. If the above didn't help not restart ISE servers by running the following command in the CLI:reload
3. in addition, make sure that you have the latest patch installed I thank you for the useful job evaluation! -
lost access to ISE GUI after upgrade
I upgraded ISE 1.3 to 2.0, not only lost my integration with active directory, but also the local account of GUI. I still have access to the command line, but I know that the admin user/pass there are different than those of the GUI, but you can see them in the command line, but the command is different from the ordinary
JOEblow username pass plain SOandSO
If anyone can post a sanitized copy of the show run. user b, I anticipate that we could recreate credentials of the local GUI, the command line if you still have access to it. I don't know what is the exact command.
This document below is specifically integration with active directory, but not this problem:
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-0/Release_notes/ise2...
Cannot access the upgrade of the Post of the Page of the ISE Login to the admin user
As far as I KNOW, only username syntax exists for ISE is to create the CLI user account and no gui.
Here is the link to order
~ Jousset
-
Failure of the upgrade of data Global ISE ISE 1.3 upgrade error!
Hello
Has anyone encountered this problem? When you upgrade, it seems to start all the wells, but then this happens:
-Data Update step 40/67, CertMgmtUpgradeService (1.3.0.616)... % error: data ISE overall upgrade failed!
Restore the configuration database...
Start the application after cancellation...% Error: the node has been restored to its state of pre-upgrade.
Upgrade or install application % cancelled.I also upgraded to the latest patch and tried again, but nothing helped. It is a device (3415) which comes with 1.2. It is not configured other than the wizard of initial cli. I upgraded a devices fair bit, but I have not seen this problem came before. Any thoughts?
Thanks in advance for any info...
If it is a test of the configuration you can make cool install.back ISE in existing config and restore it to 1.3. If his production then contact TAC
-
Hi all
just a quick question related to the bug
https://Tools.Cisco.com/bugsearch/bug/CSCux72796
According to suggest, after having changed the static permission and upgrade to 2.0 so we can return to dynamic?
Thanks in advance
Lance
Lance,
Yes, you can put it to dynamic after the upgrade.
Javier Henderson
Cisco Systems
-
Hi Forum. I have 8 knots of ISE. This includes dedicated primary and secondary admin and monitoring nodes and rest are nodes PSN. I want to improve from 2.0 to 2.1. But I'm not sure how this be accomplished and who's in charge. Does anyone have experience upgrading from 2.0 to 2.1 with distributed deployment?
Hello
To upgrade your deployment, minimum downtime as possible, while offering a maximum resilience and ability to roll back, the upgrade order should be as follows:
1 secondary management node (the main node of the Administration at this point remains to the previous version and can be used to restore, if the upgrade fails.
2 primary followed by node
3. Policy Service nodes
At this point, check whether the upgrade was successful and also to run network tests to ensure that the new deployment works as expected. See check the process to upgrade for more information. If the upgrade was successful, continue to upgrade the following nodes:
4 secondary control node
5 primary Administration node
Re-run verification tests and network upgrade after you upgrade the main node of the Administration.
Please follow this reference guide:
http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-1/upgrade_guide/b_is...
Concerning
Gagan
PS: rate if this can help!
-
My company what ISE is installed in the virtual machine, we got a plan to upgrade the ISE 1.1.1.268 to 1.2 form. But I've read through all the documentation, it took VM Upgrade 32-bit to64.
But I confused with the passage of the VM. If my current 32-bit virtual machine running for 1.1.1.268, am I still able to upgrade using the command "upgrade of the application" to direct do the upgrade "ise-upgradebundle - 1.1.x - to-1.2.0.899.i386.tar.gz. What portion of the VM? I would have to manually change the virtual machine from 32 bit to 64 bit or it is done automatically as the below message? Sorry that I don't have VM boy and not sure about this part.
Generating Database statistics for optimization .... - Preparing database for 64 bit migration... % NOTICE: The appliance will reboot twice to upgrade software and ADE-OS to 64 bit. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to complete. Rebooting to do Identity Service Engine upgrade...
Should I be concerned about the license and certificate after the upgrade?
I'm not a VM guy either, but if you follow the news on the link, you should be fine. The tasks that you mentioned are tasks that occur automatically when you perform the upgrade procedure. Once this process is complete, you will need to change the settings for the virtual machine. So if you have a single ISE node you will need to:
1. run the upgrade process
2. power off the virtual machine
3. set in VM Ware:
-Type of OS (required)
-RAM (optional) - the ISE's hardware installation guide check
-CPU (optional) - check the ISE's hardware installation guide
3. turn on the computer, virtual back and try it again
If you have a distributed deployment, then you will need to follow the instructions for it
The document/link also answers your question about certificates and license files:
The upgrade process preserves permits and certificates. You don't have to reinstall or reimport them. Cisco ISE, version 1.2, supports files of license with identifier unique two nodes (IDUs). You can request a new license with the UDI of both primary and secondary Administration nodes. Check it out Setup Guide physical Cisco Identity Services engine for more details.
Thank you for evaluating useful messages!
-
I tried to upgrade ISE in stand-alone deployment of the 1.2.1.198 to 1.3
-My file name and size is identical to what I see in the cisco.com download article (name: ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz, size: 4.02 GB (4,326,538,352 bytes))
-J' used as a result of orders and both have the same error:upgrade the application prepare ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz UPGRADE
application upgrade UPGRADE of the ise-upgradebundle - 1.2.x - at-1.3.0.876.repackaged.x86_64.tar.gz
ISE-application STANDALONE # upgrade ise-upgradebundle - 1.2.x - to-1.3.0.876.repackaged.x86_64.tar.gz UPGRADE
Save the current running of ADE-OS configuration? (yes/no) [Yes]? Yes
Building configuration...
Save the current configuration of ADE-OS at startupGet the package to the local computer.
MD5: 76e17877c2fb70d1006a20780fbf5b98
SHA256: 461a0931c2f498399d96f195b1ab3d196fe7694f6e0cc2b4cb75928aced5f1c7
% Please confirm above cryptographic hash matches that which is available on the Cisco download site.Downlod and MD5 exactly like Ciscoes published file size, but the SHA algorithm is different:
Cisco download site show SHA512 Checksum: ea2e5eee527c145eb971e2a7806e6185The projection of the ISE: sha256: 461a0931c2f498399d96f195b1ab3d196fe7694f6e0cc2b4cb75928aced5f1c7
Can someone please advise what the problem with the above steps or how to fix the above error. ?
Check your SHA512 hash matches using an external control (such as http://download.cnet.com/MD5-SHA-Checksum-Utility/3000-2092_4-10911445.html ).
Then use the same utility to calculate the SHA256 before transferring the file to ISE. Which allows to check.
-
ISE 1.3 Distributed environment
Hi all
in a network with two main campuses and 10 remote with total scheme 3000 offices, to implement Cisco Ise distributed 1.3, we want to buy 2 camera SNS-3415-K9 for synchronization of monitoring/management/policy and 10 VM for node of sevice of strategy, but we found in distributed environment, to a pair of nodes of posture inline, we buy another two device or VM for inline posture?
Well, it has not been officially said by Cisco, but it's already been removed working on the SNS.3495, so I would say that this isn't something that we should design the new ISE solution with.
No, the secondary PAN/MNT will handle the same as main Ssnp, you cannot split your PSN between nodes of PAN/MNT.
"you're telling me that if a remote office fails, lose psn...?
Don't know what you're asking?
Maybe you are looking for
-
I'll put up a new machine with a cDAQ-9174 running a 8.6.1 exe. Everything seems fine, but I went to add a scale and noticed a strange message in MAX. He said looking for "windowsxpusbhotfix" and to search the knowledge base for "5F81A72I." Someth
-
error 1075 the dependency service does not exist or has been marked for removing windows xp
The DHCP Client has stopped, but it is configured to start automatically. When I try to reboot, I get the following message: error 1075 the dependency service does not exist or has been marked for deletion. I need help to solve this problem. Becau
-
Logitch speakers are now recognized as UAC3556B
HelloAfter a recent windows 7 update as my Logitec g35 headset is now known as UAC3556B. I updated all the drivers directly on the site of logitec, I can get sound from them, but it looks bad, I can't open the config g35 either as it is said that the
-
I get a message saying "the service cannot accept control messages" when trying to install AVG. What could be the cause? original title: error message
-
I can't add components to a Service
Hello We evaluate vFoglight (company) and I am trying to create a set of services, in which I want to add the components of variuos in him. However, after you create the service (either through the Service constructor), it is not bring up the box to