Menu

Cisco ISE || 2.7p9 to 3.1p7 upgrade experience

7 node deployment (2xPAN/MnT, 4xPSN, 1xPxGRID), preloaded upgrade file to each ISE node local disk to save time, converted licenses to 3.1 model on Smart license portal with TAC assistance. In Virtual ISE deployment, I suggest downloading the 3.1 new install image and making sure you have access to virtual infrastructure. In large deployment plan for large maintenance window.

  • Started with URT bundle on secondary PAN/MnT, install/validation failed, had TAC look at it, some weird db error, reboot cleared it
  • After successful URT install it reported 10 hours upgrade for PAN/MnT, ran “application configure Iise” >> opt3[Purge MnT data], after that time dropped to 1.5 – 2 hours
  • Started upgrade in GUI on Friday evening with the option to stop on failure.
  • Secondary PAN/MnT upgraded OK, added to Smart Licenses portal, next one was PxGRID node and it failed. Took about 1.5 hours to roll back. I could not proceed any further until it was done.

At this point if you are having issues with upgrade of secondary PAN/MnT I suggest to de-register, re-image to 3.1 and restore from back up.

  • Since secondary PAN/MnT upgraded fine I decided to proceed again with an upgrade in GUI, rearranged nodes, and staged PSNs to be upgraded first.
  • 1st PSN upgraded OK, the next one failed and took another 1.5 hours to roll back but at least I had 1 node working on 3.1 and could finish the upgrade through the reimaging if I had to.
  • After another call to TAC, nothing was found in the logs, the suggestion was to re-image to 3.1 and join to upgraded PAN/MnT
  • Decided to reboot PSN and restarted the upgrade on it again. At the same time dis-joined PxGRID and ran the upgrade as stand-alone from CLI.
  • After the reboot PSN GUI upgrade succeeded and moved on to the next 3 PSN’s
  • PxGRID upgrade was also successful and manually joined to 3.1 PAN/MnT with no issues
  • When the last PAN/MnT node was upgrading it failed, and a 1.5-hour rollback failed also. Reboot made no change, TAC did not find anything fixable in the logs. The suggestion was to re-image and rejoin to 3.1 deployment
  • After re-image and cert re-import, it was joined successfully and the upgrade was finally complete.
  • After promoting PAN/MnT to primary I had to reset ISE root certs and reset Smart license registration due to Alerts.

Post Navigation

Cisco FTD || 7.0.4 || ERROR CdStartupThread:163 – Exception while initializing CD

Leave a reply:

Your email address will not be published.

Site Footer

FINKOTEK.COM © 2019

Sliding Sidebar

Tags

4100 Alerts Anyconnect Avaya BIG-IP LTM Bridge Interface BYOD Catalyst 9k CEO fraud Certificates Cisco ASA Cisco FirePOWER Cisco ISE Cisco Nexus Cluster Configuration DNAC DUO Dynamic VPN email scam ESA eStreamer FirePOWER FMC FTD Guest License LWAP Mobility Express Policy pxGrid Reporting restore SMA SNMP SNTC Sourcefire Threat Defense Troubleshooting update upgrade User Agent VPN WLC Zone

Disclaimer

Privacy