- #CISCO ISE 2.4 PROMOTE SECONDARY TO PRIMARY INSTALL#
- #CISCO ISE 2.4 PROMOTE SECONDARY TO PRIMARY UPGRADE#
You can import those back into the server instead of needing to purchase a new SSL certificate. Remember backing up the SSL certificate and private key? This is why.Set up the node with the exact settings (IP, hostname, etc.) it had before the reload.This will give you a clean server to later join to the new deployment running ISE 2.4.
Boot the node from the ISO and perform a full install from the ISO you mounted. You do not need to wait for the services on the now stand-alone node to fully come back online before starting the next step. Not necessary if it is the last node to be reloaded. Before rebooting the node in order to boot from the ISO, you should remove it from the old deployment. 
Connect to the node’s CIMC and utilize the virtual KVM to mount the Cisco ISE installation ISO. This will be a fresh install and not an upgrade for the remaining nodes. Once the node finishes upgrading and is fully online (verify, verify, verify), it’s time to reload the other nodes starting with one of the PSNs. fully distributed deployment), I still upgrade the secondary PAN and primary MnT nodes and then continue. If it has lost its connection, rejoin the domain. Verify it is connected to your AD in External Identity Sources (if it was previously). All configuration (ie Policy Sets) is retained during the upgrade so the new primary PAN/primary MNT will have your configs. This node will become the primary PAN/primary MNT in the new deployment. Running an upgrade will automatically remove it from the previous deployment. When an upgrade is performed, a “new” deployment is formed because you can only have nodes running the same version of ISE in a deployment. Your chances of this happening are very high according to Murphy’s Law so don’t take the chance. Losing the SSH connection during the upgrade (before a reboot) will cause the upgrade to fail and there is no rollback. Either physically plug into the server with a keyboard and monitor or connect to the virtual KVM via the CIMC. IMPORTANT: Do NOT run the upgrade via SSH. Upgrade the secondary PAN/primary MNT node. Prepare the upgrade on the secondary PAN/primary MNT node following the CLI upgrade guide. Especially how the Profiling Configuration is set up if this is a PSN. Make a note how the node is configured (Administration > System > Deployment > ). Make a note of the services/portals the SSL certificates are assigned to so you can assign them again later. The certificate and private keys are vital for the next steps when the nodes are reloaded (not upgraded). The URT will save you a lot of headache from a failed upgrade. Follow all the steps found in the Cisco guide to prepare for the upgrade. Use this in order to mount the ISO in a remote KVM session. All nodes running Cisco ISE 2.3 to be upgraded to 2.6. 2 physical servers (35×5) running as PSNs. 
2 physical servers (35×5) running the PAN and MNT personas.For this example, let’s assume we have the following deployment: There is no need to restore backups from previous versions (unless something bad happens but that’s different). Here is the way I’ve been doing them since 1.x and I’ve had a lot of success. Cisco has their way ( ISE 2.4 upgrade guide) of performing an ISE deployment upgrade using the CLI or GUI.
0 kommentar(er)
