Roger Perkin

Learn Network Automation

If you are running any version of Cisco ISE there is always going to be a time when you need to upgrade.

Cisco Identity Services Engine Upgrade

There are five basic steps to performing your upgrade

1. Verify your upgrade path

Depending on what version you are currently running will determine that steps you need to take to upgrade to the latest version. If you are upgrading from version 2.4 to 2.6 – this is a one step easy upgrade.

However if you are upgrading from a version earlier than 2.1 you will have to upgrade to 2.1 before going to 2.6

So I only have to download the latest ISE 2.6 upgrade software.

2. Prepare your system for the upgrade

This step requires creating a repository, uploading the upgrade image and the upgrade readiness tool if you want to use that.

3. Perform the upgrade

This step can be very easy if you are upgrading a standalone note or just a Primary & Secondary. It becomes a bit more involved if you have lots of policy service nodes, you just have to work out the correct sequence.

4. Install the latest patch for your version

Once you have upgraded ISE there will normally be a latest patch to install. This is a best practice step and advised to ensure you are running the latest stable version.

5. Verify correct operation

Once you have upgraded you need to verify that ISE is operating correctly, the best way is to just watch the live logs and make sure authentications are happening as normal.

OK, let’s start the ISE upgrade!

So I am going to be upgrading an ISE 2.4 to 2.6. At the time of writing 2.6 is the latest version.

This is a direct upgrade so I only have to download the ISE 2.6 upgrade image. This can be found on the Cisco download page for ISE 2.6 at the bottom.

https://software.cisco.com/download/home/283801620/type/283802505/release/2.6.0

cisco ise upgrade 2.4 to 2.6 software download page

Keep scrolling to the bottom!

cisco ise upgrade readiness tool download page

You need to download the Upgrade bundle. This is for upgrading ISE from version 2.6 from 2.1 upwards. So it covers 2.1, 2.2, 2.3, 2.4 (there is no ISE 2.5)

While you are there you can also download the upgrade readiness tool (URT) this is not required but it is an ISE upgrade best practice.

The tool will check your current ISE installation and warn of any potential issues that could affect the upgrade.

Create a repository

We now need to create a repository on ISE so we can upload the upgrade bundle and the URT.

To create a repository in ISE head over to
Administration / System / Maintenance – then click on Repository

create repository ise

As you can see I have no repositories created so I am going to click on Add to create one. You will then have to enter the details of your server. This is however you plan to upload the images. I used FTP and use Filezilla server for this as I find it handles larger images better.

cisco ise upgrade ftp repository filezilla server settings

Click Submit

Now head over to
Administration / System / Upgrade

Click the Upgrade tab and you should see this screen

cisco ise upgrade screen

You have to agree to this screen that you have read and taken action on all the options before you proceed (you don’t have to action on every item, but you are well advised to do so!)

The main one here is a backup of the configuration and certificates as worse case scenario if the upgrade goes horribly wrong you can re-install ISE and restore from the backup.

I am not going to detail how to backup Cisco ISE here, but we will assume that you have been backing up your ISE installation every night since installation and you can tick that one off!

Once you have reviewed the check list and are happy you have covered everything, tick the box and the green Continue button will light up and you can click it.

You will now see that the bundle is not in the repository, as we have not uploaded it yet, so let’s do that.

Prepare the upgrade bundle

So you should now have downloaded 2 files from Cisco

  1. The Upgrade Bundle – in my case ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz
  2. The URT – ise-urtbundle-2.6.0.156-1.0.0.SPA.x86_64.tar.gz

Make sure you have these in a folder where your FTP server can access them. I am using Filezilla Server and have set it up as follows.

filezilla settings for cisco ise upgrade

I have created a user called roger and mapped that users shared directory to C:\users\roger\Downloads\ISE

This is where I will have my images saved.

You can now upgrade using the GUI or the CLI. I will detail both options here.

Upgrade via GUI

To upgrade using the GUI head over to Administration / System / Upgrade

Click on the Upgrade tab next to Overview and then select which node you want to upgrade first.

In my case it is a standalone node. Then click the Download button

You then need to select your repository and ISE will show you all files you have in that repository filtered by any that include ise-upgradebundle.

You should see your image, select it and then hit confirm, then begin download.

You should see your file start loading with a progress bar showing how much has been upgraded.

Once the image has been uploaded you are prompted to reload, your system should reload and come back running ISE 2.6

ISE Upgrade via CLI and using URT

The steps using the CLI are use the URT if you want to check everything before you proceed with the upgrade and then if your happy initiate the upgrade from the CLI

Cisco ISE Upgrade Readiness Tool

Now we can run the URT tool. This will perform a check if the system is ready for an upgrade. If it finds any issues it will report them so you can address before performing the real upgrade.

To run the upgrade readiness tool simply enter the command 

application install ise-urtbundle-2.6.0.156-1.0.0.SPA.x86_64.tar.gz <repository-name>

It will upload the file and then run through a series of checks as below. It will warn you that it might take up some resources which you have to acknowledge.

It also warns you that the URT is 486 days old and it’s verion 1.0.0. It always says this! We have downloaded the latest version from Cisco.

80Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...

###########################################
# Installing Upgrade Readiness Tool (URT) #
###########################################

Checking ISE version compatibility
- Successful

Checking ISE persona
- Successful

Along with Administration, other services (MNT,PROFILER,SESSION) are enabled on this node. Installing and running URT might consume additional resources.
Do you want to proceed with installing and running URT now (y/n):y

Checking if URT is recent(<45 days old)
- Note: URT is 486 days old and its version is 1.0.0. There might be a recent URT bundle on CCO, please verify on CCO
Do you want to proceed with this version which is 486 days old (y/n):y
Proceeding with this version of URT itself

Installing URT bundle
- Successful

########################################
# Running Upgrade Readiness Tool (URT) #
########################################
This tool will perform following tasks:
1. Pre-requisite checks
2. Clone config database
3. Copy upgrade files
4. Data upgrade on cloned database
5. Time estimate for upgrade

Pre-requisite checks
====================
Disk Space sanity check
- Successful
NTP sanity
- Failed
Appliance/VM compatibility
- Successful
Trust Cert Validation
The certificate has expired.
Trust certificate with friendly name 'Default self-signed server certificate' is invalid: The certificate has expired.
The certificate has expired.
Trust certificate with friendly name 'VeriSign Class 3 Secure Server CA - G3' is invalid: The certificate has expired.
% Error: One or more trust certificates are invalid (see above), please re-import valid CA Certificate(s) before continuing. Upgrade cannot continue.
- Failed
System Cert Validation
The certificate has expired.
System certificate with friendly name 'Default self-signed saml server certificate - CN=SAML_ise.securitydemo.net' is invalid: The certificate has expired.
The certificate has expired.
System certificate with friendly name 'Default self-signed server certificate' is invalid: The certificate has expired.
% Error:  One or more system certificates are invalid (see above), please update with valid system certificate(s) before continuing. Upgrade cannot continue.
/opt/CSCOcpm/upgrade/bin/isedbupgrade-functions.sh: line 101: [: -le: unary operator expected
- Failed
Invalid MDMServerNames in Authorization Policies check
- Successful
3 out of 6 pre-requisite checks passed
Some pre-requisite checks have failed. Hence exiting...

Final cleanup before exiting...

Collecting log files ...
- Encrypting logs bundle...
Please enter encryption password:  
Please enter encryption password again to verify: 
Encrypted URT logs(urt_logs.tar.gpg) are available in localdisk. Please reach out to Cisco TAC to debug
% Post-install step failed. Please check the logs for more details.
ise/admin# 
Disk Space sanity check
- Successful
NTP sanity
- Failed
Appliance/VM compatibility
- Successful
Trust Cert Validation
The certificate has expired.
Trust certificate with friendly name 'Default self-signed server certificate' is invalid: The certificate has expired.
The certificate has expired.
Trust certificate with friendly name 'VeriSign Class 3 Secure Server CA - G3' is invalid: The certificate has expired.
% Error: One or more trust certificates are invalid (see above), please re-import valid CA Certificate(s) before continuing. Upgrade cannot continue.
- Failed
System Cert Validation
The certificate has expired.
System certificate with friendly name 'Default self-signed saml server certificate - CN=SAML_ise.securitydemo.net' is invalid: The certificate has expired.
The certificate has expired.
System certificate with friendly name 'Default self-signed server certificate' is invalid: The certificate has expired.
% Error:  One or more system certificates are invalid (see above), please update with valid system certificate(s) before continuing. Upgrade cannot continue.
/opt/CSCOcpm/upgrade/bin/isedbupgrade-functions.sh: line 101: [: -le: unary operator expected
- Failed
Invalid MDMServerNames in Authorization Policies check
- Successful
3 out of 6 pre-requisite checks passed
Some pre-requisite checks have failed. Hence exiting...

Final cleanup before exiting...

Collecting log files ...
- Encrypting logs bundle...
Please enter encryption password:
Please enter encryption password again to verify:
Encrypted URT logs(urt_logs.tar.gpg) are available in localdisk. Please reach out to Cisco TAC to debug
% Post-install step failed. Please check the logs for more details.
ise/admin#

I have 2 small problems

So after running the upgrade readiness tool it warned me that I have two issues. Firstly NTP is not working and secondly my self signed certificate has expired.

Both these issues will stop me upgrading this lab ISE node so need to be addressed.

Change NTP server

To change the NTP server in ISE head over to
Administration / System / Settings / System Time

Enter a valid NTP server in here and click save

cisco ise change ntp server

As this is a lab node I have just entered pool.ntp.org, however in production ensure this is pointing to a valid NTP server.

If this is a production node, this should already be setup!

You can verify the NTP status from the CLI as below 

ise/admin# sh ntp 
Configured NTP Servers: 
  80.86.38.193
  81.128.218.110

synchronised to NTP server (81.128.218.110) at stratum 2 
   time correct to within 16 ms
   polling server every 128 s

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 127.127.1.0     .LOCL.          10 l  54m   64    0    0.000    0.000   0.000
+80.86.38.193    .GPS.            1 u   10  128  377   14.231    4.706   1.505
*81.128.218.110  .GPS.            1 u   17   64  377   18.403    3.744   2.710

* Current time source, + Candidate , x False ticker 

Warning: Output results may conflict during periods of changing synchronization.

ise/admin#

The main things you need to pay attention to are certificates, but if these have expired they should be causing you issues now. Also disk space is another big problem. So I think we are good to proceed with the upgrade.

Deal with expired certificates

I had a self signed certificate that had expired, this will stop the upgrade process continuing. So I created a new self signed certificate and now the upgrade can continue.

Run the URT again

I now ran the upgrade readiness tool again and it completed and gave me an estimate that it will take 77 minutes to perform the upgrade.

This time will vary depending on the size of your database but it gives you a confidence check that the real upgrade will complete successfully. 

########################################
# Running Upgrade Readiness Tool (URT) #
########################################
This tool will perform following tasks:
1. Pre-requisite checks
2. Clone config database
3. Copy upgrade files
4. Data upgrade on cloned database
5. Time estimate for upgrade

Pre-requisite checks
====================
Disk Space sanity check
- Successful
NTP sanity
- Successful
Appliance/VM compatibility
- Successful
Trust Cert Validation
- Successful
System Cert Validation
- Successful
Invalid MDMServerNames in Authorization Policies check
- Successful
6 out of 6 pre-requisite checks passed

Clone config database
=====================
 [##--------------------------------------] 5% Validating connection to ISE data [####------------------------------------] 10% Validating available disk space  [######----------------------------------] 15% Extracting base database files   [##########------------------------------] 25% Cloning database                 [####################--------------------] 50% Exporting data from ISE database [##############################----------] 75% Importing data into cloned datab [########################################] 100%  Successful                                        

Copy upgrade files
==================
- N/A

Data upgrade on cloned database
===============================
Modifying upgrade scripts to run on cloned database
- Successful

Running schema upgrade on cloned database
- Running db sanity to check and fix if any index corruption
- Auto Upgrading Schema for UPS Model
- Upgrading Schema completed for UPS Model
- Successful

Running sanity after schema upgrade on cloned database
- Successful

Running data upgrade on cloned database
- Data upgrade step 1/20, NSFUpgradeService(2.5.0.129)... Done in 8 seconds.
- Data upgrade step 2/20, NSFUpgradeService(2.5.0.130)... Done in 4 seconds.
- Data upgrade step 3/20, NSFUpgradeService(2.5.0.168)... Done in 0 seconds.
- Data upgrade step 4/20, NSFUpgradeService(2.5.0.183)... Done in 0 seconds.
- Data upgrade step 5/20, NSFUpgradeService(2.5.0.196)... Done in 0 seconds.
- Data upgrade step 6/20, GuestAccessUpgradeService(2.5.0.199)... Done in 8 seconds.
- Data upgrade step 7/20, UPSUpgradeHandler(2.5.0.200)... Done in 5 seconds.
- Data upgrade step 8/20, LSDSettingsRegistration(2.5.0.225)... Done in 0 seconds.
- Data upgrade step 9/20, NSFUpgradeService(2.5.0.236)... Done in 0 seconds.
- Data upgrade step 10/20, CertMgmtUpgradeService(2.5.0.276)... Done in 11 seconds.
- Data upgrade step 11/20, ProfilerUpgradeService(2.5.0.288)... Done in 0 seconds.
- Data upgrade step 12/20, UPSUpgradeHandler(2.5.0.316)... Done in 2 seconds.
- Data upgrade step 13/20, UPSUpgradeHandler(2.5.0.320)... Done in 0 seconds.
- Data upgrade step 14/20, RegisterPostureTypes(2.6.0.103)... Done in 0 seconds.
- Data upgrade step 15/20, ProvisioningUpgradeService(2.6.0.103)... Done in 0 seconds.
- Data upgrade step 16/20, UPSUpgradeHandler(2.6.0.108)... Done in 0 seconds.
- Data upgrade step 17/20, UPSUpgradeHandler(2.6.0.154)... Done in 0 seconds.
- Data upgrade step 18/20, NSFUpgradeService(2.6.0.156)... Done in 0 seconds.
- Data upgrade step 19/20, ProfilerUpgradeService(2.6.0.156)... Done in 0 seconds.
- Data upgrade step 20/20, GuestAccessUpgradeService(2.6.0.156)... Done in 6 seconds.
- Successful

Running data upgrade for node specific data on cloned database
- Successful

Time estimate for upgrade
=========================
(Estimates are calculated based on size of config and mnt data only. Network latency between PAN and other nodes is not considered in calculating estimates)
Estimated time for each node (in mins):
ise(STANDALONE):77


Final cleanup before exiting...

Application successfully installed
ise/admin#

Now start the real CLI upgrade!

To upgrade Cisco ISE using the CLI enter the command

application upgrade prepare <ISE image> <repository>

ise/admin# application upgrade prepare ise-upgradebundle-2.1.x-2.4.x-to-2.6.0.156.SPA.x86_64.tar.gz FZ-FTP ?
  <cr>  Carriage return.

Hit return and ISE will start to upload the bundle, you should see the connection on our Filezilla server and the upload progress indicated.
You will not see any progress from within ISE

ise upgrade progress filezilla

Once the upload has completed, the package will be unbundled and then checked. This should complete with the following message 

Unbundling Application Package...
Verifying Application Signature...

Application upgrade preparation successful
ise/admin#

Now you can initiate the upgrade process with the command 

ise/admin# application upgrade proceed

This process could take a long time (many hours) so if you are upgrading a VM I would advise you log into the console, so you can see what is going on.

In my URT test it suggested it would take 77 minutes – your mileage will vary and is mainly dependant on the size of the database.

The last production upgrade I performed took over 3 1/2 hours per node so please make sure you allow enough time for this process.

My upgrade completed 148 minutes so allowing for 44 minutes to upload the image the estimate of 77 minutes was not far off. This is more to do with the fact it’s running on an under powered lab server!

The server then goes for a final reboot, if you are logged into VMWare console you will the progress

cisco ise upgrade vmware

You should be able to SSH into ISE now and if I do a show version I get this 

ise/admin# sh version 

Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.5.144
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2019 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise


% NOTICE: Identity Services Engine upgrade is in progress...


Version information of installed applications
---------------------------------------------
ise/admin#

Then finally you get the message you are wanting 

ise/admin# sh version

Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.5.144
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2019 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise


Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version      : 2.6.0.156
Build Date   : Tue Feb 12 00:45:06 2019
Install Date : Tue Jun 16 13:41:18 2020

ise/admin#
how to upgrade cisco ise vm

The upgrade is complete, now we just need to install the latest patch.

Install latest patch

Now you have upgraded your Cisco ISE to the latest suggested software version, as a best practice you should also install the latest patch.

Head back to the Cisco download site and get the latest patch level for your chosen download. In my case 2.6 patch level 6

The latest patch will normally be at the top of the downloads.

https://software.cisco.com/download/home/283801620/type/283802505/release/2.6.0

cisco ise 2.6 patch 6 download latest

Once you have the patch downloaded head over to:

Administration > System > Maintenance > Patch Management > Install

ise 2.6 patch install

Click on Choose file and browse to where you have downloaded the ISE 2.6 patch. Click on Install

You will see the upload progressing in your browser (I am using Chrome and it shows in the bottom left.

cisco ise patch install

Verify

Once you have completed the ISE upgrade and latest patch install, you can verify the latest version with the CLI command

Also you need to perform any authentication tasks relevant to your environment to ensure ISE is operating correctly.

If you observe any issues you will have to troubleshoot or if the issue is more complex, you might have to log a call with Cisco TAC.

For the most part all the upgrades I have performed have gone very smoothly if all the preparation has been done.

I hope this short guide has helped you understand the Cisco ISE upgrade process. Whilst the best practices I have shared here will guide you through the process you should still perform this task with caution and not before you are sure you have a full backup. As, whilst in most cases the process runs smoothly, sometimes it does not and you need to be prepared for the scenario where your ISE might be down.

In the next post I will be covering ISE upgrades with multiple devices and covering which order to upgrade them in.

I will also cover the backup and restore upgrade.

Problems

If you get the error

Failed to create upgrade preparation directory. Try cleanup first

Something has gone wrong with the upgrade software, if you run the cleanup command you can then run the upgrade command again and you should proceed ok.

% Failed to create upgrade preparation directory. Try cleanup first.
ise/admin# application upgrade ?
  <WORD>   Application bundle file name (Max Size - 255)
  cleanup  Cleanup previous prepared bundle so as to prepare a new bundle
  prepare  Download and prepare application for upgrade
  proceed  Proceed with upgrade using local prepared bundle

ise/admin# application upgrade cleanup 

Application upgrade preparation directory cleanup successful
ise/admin#

Now if you run the upgrade command again it will continue.

Other ISE guides

Category:

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *