ISE Upgrade

Similar Messages

• ISE upgrade to version 1.2

  My company ISE is installed into VM, we got a plan to upgrade the ISE form 1.1.1.268 to 1.2. But I read through all the documentation it required VM upgrade from 32 bits to64 bits.
  But I have confused with the VM portion. If my current are 32 bits VM running for 1.1.1.268, am I still able to upgrade using the "application upgrade" command to direct do the upgrade "ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz". What about the VM portion? I should need to manually change the VM from 32 bit to 64 bit or it is done automatically like the message below? Sorry I'm not VM guy and not sure about this portion.
  Generating Database statistics for optimization ....
  - Preparing database for 64 bit migration...
  % NOTICE: The appliance will reboot twice to upgrade software and ADE-OS to 64 bit. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to complete.
  Rebooting to do Identity Service Engine upgrade...
  I should be worry about the license and certificate after the upgrade?

  I am not a VM guy either but if you follow the info on the link you should be fine. The tasks that you have outlined are tasks that happen automatically when you run the upgrade procedure. After that process is done, you will have to change the VM settings. So if you have a single ISE node you will need to:
  1. Run the upgrade process
  2. Power off the VM
  3. Adjust in VM Ware:
  - Type of OS (Mandatory)
  - RAM (Optional) - Check ISE's hardware installation guide
  - CPU (Optional) - Check ISE's hardware installation guide
  3. Power the VM back on and then test again
  If you have a distributed deployment then you will have to follow the instructions for that
  The document/link also answers your question about the certificates and license files:
  The upgrade process retains licenses and certificates. You do not have to reinstall or reimport them. Cisco ISE, Release 1.2, supports license files with two-node unique device identifiers (UDIs). You can request for a new license with the UDI of both the primary and secondary Administration nodes. See the Cisco Identity Services Engine Hardware Installation Guide for details.
  Thank you for rating helpful posts!

• Cisco ise upgrading and licences

  I nedd to upgrade from version 1.1.2 patch 4 to 1.1.3
  the deployment is distributed so the split deployment technique needs to be used:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upg_dis_dep.html#wp1052969
  the guide is quite hard to follow as there are some licensing informations missing that can potentially cause service downs:
  in particular my questions reguarding the guide are:
  --- OUR licence is registered to the primary PAN node only----
  1) Deregistering primary PSN "D" node : what licence it will use? the inherited (10000 endpoints) or will it lose the licence completely and lock the network authentications?
  2) When node "B" will be deregistered and will become standalone what happens to its licence ? will it be lost? and what will happen to the node "D" when added back to the node "B" ?
  3) when I will switch back node "A" (after upgrade and registration to node "B") to its previous primary PAN state it is stated that the licence needs to be reloaded in it cause it was lost when adding it to node "B".... and in the meanwhile? no node will authenticate cause the primary node is without a licence?
  TY

  Giuliano,
  De-registered node will always use it's own license, i.e. it becomes standalone box without knowledge or information of anything around it. Either the evalutaion or whichever license you have supplied it with.
  License enforcement is performed by active admin node in cluster, according to its license.
  Have a look at:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCug04405
  I don't think license needs to be reloaded, but that may be just my memory not serving me. I'll double-check that one.
  M.

• ISE upgrade 1.1.4 to 1.2 Fail

  Hi there
  I´m upgrading a distributed enviroment with 2 Administration/monitoring nodes and 2 as a Policy. I´m upgrading from 1.1.4 patch 6 to 1.2.0.899
  I´ve upgraded first the secondary administration node and then the both Policy servers. Now they are already in 1.2 version, but when I´m going to upgrade the primary server (still in v1.1.4) seems as if there where still any server without upgrade.
  es-ise000/admin# application upgrade ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk
  Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
  Generating configuration...
  Saved the ADE-OS running configuration to startup successfully
  Initiating Application Upgrade...
  % Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
  STEP 1: Stopping ISE application...
  % Warning: All secondary nodes should be upgraded and inline posture nodes should be de-registered before upgrading Primay PAP.
  Starting application after rollback...
  % Warning: The node has been reverted back to its pre-upgrade state.
  error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
  % Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
  The servers are running in VMWare
  This are the servers already upgraded to 1.2
  This is from the primary administration server, still running 1.1.4
  Any Ideas
  Thanks in advance

  Hi ,
  The final step in the upgrade of ISE 1.2 is to upgrade the primary Administration node to Cisco ISE, Release 1.2.
  If the upgrade is success on this node then this node will be added to the new deployment as  a secondary Administration node. You can promote the secondary  Administration  node to be the primary node in the new  deployment. If you want to retain the secondary Administrative node from old deployment as your primary node, you must  obtain a license that includes the UDI of both the primary and secondary  Administration nodes.
  In case if you want to make your primary Admin node from old deployment as a Primary node in the new ISE 1.2 deployment then just promote the node.
  As you are facing difficulty in upgrading Primary Admin node from ISE 1.1.4 version to ISE 1.2 version you try the following steps.
  -The safest way is to re-image the ISE Primary node es-ise000 to ISE 1.2 version and join to the deployment. Once the node is joined successfully and replication is done , you can safely promote the original primary node es-ise000 as your Primary ISE node in new ISE 1.2 deployment.
  -The other way is to perform reset-config operation on the older Primary node and once it is done perform the upgrade operation and then register it back to the deployment of ISE 1.2 and then promote as Primary node once replication is completed.
  Thanks,
  Naresh

• ISE upgrade 1.2: Self-provisioning portal not working

  Hi all,
  I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
  Screenshot of page is attached:
  I've checked ise-console.log application log file and found two errors correponding to the first page:
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
  [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
  and the second (not working) one:
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
  [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
  Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
  Can somebody please help?
  Thanks,
  L

  Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
  Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
  If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
  If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
  For more information on self-provisioning.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

• ISE upgrade issue

  Trying to upgrade from 1.1.1.268 patch 5 to 1.1.2.145.  It fails saying the package isn't correct format via GUI.  Tried via CLI and I see this in the logs.
  Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[245] [<removed>]: Install initiated with bundle - ise-appbundle-1.1.2.145.i386.tar.gz, repo - Patches
  Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[259] [<removed>]: Stage area - /storeddata/Installing/.1357237542
  Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[263] [<removed>]: Getting bundle to local machine
  Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: transfer: cars_xfer.c[54] [<removed>]: ftp copy in of ise-appbundle-1.1.2.145.i386.tar.gz requested
  Jan  3 18:26:12 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[272] [<removed>]: Got bundle at - /storeddata/Installing/.1357237542/ise-appbundle-1.1.2.145.i386.tar.gz
  Jan  3 18:26:12 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[282] [<removed>]: Unbundling package ise-appbundle-1.1.2.145.i386.tar.gz
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[294] [<removed>]: Unbundling done. Verifying input parameters...
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[316] [<removed>]: Manifest file is at - /storeddata/Installing/.1357237542/manifest.xml
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[326] [<removed>]: Manifest file appname - ise
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[364] [<removed>]:  Patch bundle contains patch((null))  for app version(1.1.2.145)
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[367] [<removed>]: Patch  for application version (1.1.2.145) is not matching the installed app version
  Jan  3 18:26:53 oranetise02 debugd[2507]: [22327]: application:install install_cli.c[691] [<removed>]: error message: Patch cannot be applied to the installed application version.
  Jan  3 18:26:53 oranetise02 debugd[2507]: [22327]: application:install install_cli.c[694] [<removed>]: Error while Installing - Patch bundle: ise-appbundle-1.1.2.145.i386.tar.gz  Repository: Patches ErrorCode: -623 Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[245] [<removed>]: Install initiated with bundle - ise-appbundle-1.1.2.145.i386.tar.gz, repo - Patches
  Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[259] [<removed>]: Stage area - /storeddata/Installing/.1357237542
  Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[263] [<removed>]: Getting bundle to local machine
  Jan  3 18:25:42 oranetise02 debugd[2507]: [22327]: transfer: cars_xfer.c[54] [<removed>]: ftp copy in of ise-appbundle-1.1.2.145.i386.tar.gz requested
  Jan  3 18:26:12 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[272] [<removed>]: Got bundle at - /storeddata/Installing/.1357237542/ise-appbundle-1.1.2.145.i386.tar.gz
  Jan  3 18:26:12 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[282] [<removed>]: Unbundling package ise-appbundle-1.1.2.145.i386.tar.gz
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[294] [<removed>]: Unbundling done. Verifying input parameters...
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[316] [<removed>]: Manifest file is at - /storeddata/Installing/.1357237542/manifest.xml
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[326] [<removed>]: Manifest file appname - ise
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[364] [<removed>]:  Patch bundle contains patch((null))  for app version(1.1.2.145)
  Jan  3 18:26:52 oranetise02 debugd[2507]: [22327]: application:install cars_install.c[367] [<removed>]: Patch  for application version (1.1.2.145) is not matching the installed app version
  Jan  3 18:26:53 oranetise02 debugd[2507]: [22327]: application:install install_cli.c[691] [<removed>]: error message: Patch cannot be applied to the installed application version.
  Jan  3 18:26:53 oranetise02 debugd[2507]: [22327]: application:install install_cli.c[694] [<removed>]: Error while Installing - Patch bundle: ise-appbundle-1.1.2.145.i386.tar.gz  Repository: Patches ErrorCode: -623

  To avoid contratictory fixes. Essentially, with patch 5 you aply a fix. Upgrade to 1.1.2 removes it (or even worse case leaves orphaned files etc. since it does not know about the fix) and then patch 2 applies it back. It will work fine as long as the "fix" is exactly the same. That assumption can be wrong.
  Even the release notes were made to reflect that an upgrade to 1.1.2 requires you to be at 1.1.1 patch 3.

• ISE Upgrade Fails from 1.1.0 to 1.1.2.145

  Hi,
  I am trying to upgrade ISE from 1.1.0 to 1.1.2.145 but failed. Find the details below.
  DR-ise-pdp-01/admin# application upgrade ise-appbundle-1.1.2.145.i386.tar.gz ISE1
  Save the current ADE-OS running configuration? (yes/no) [yes] ?
  Generating configuration...
  Saved the ADE-OS running configuration to startup successfully
  Initiating Application Upgrade...
  Stopping ISE application before upgrade...
  Running ISE Database upgrade...
  % Application upgrade failed. Please check logs for more details.
  Regards

  Hi,
  Try to go to v1.1.1 first, add patch 3 and then go to v1.1.2.
  From ISE relaese notes:
  Upgrade from Cisco ISE, Release 1.1.1 to release 1.1.2
  Before you can upgrade to Cisco ISE, Release 1.1.2, you must first be sure you have upgraded your machine to Cisco ISE, Release 1.1.1 with patch 3 applied. For specific instructions on performing the upgrade procedure, see the Cisco Identity Services Engine Upgrade Guide, Release 1.1.x.
  HTH

• ISE upgrade from 1.1 to 1.2.1 - lost CLI admin password?

  Hi,
  In a mysterious way I lost CLI Admin password in whole my ISE deployment (6 PSN, 1 ADM and 1 MNT node). I wondering how it is possible? Last time I logged to the nodes when I upgrade my deployment from ISE 1.1 to 1.2.1. Is this possible that I could lost password during this upgrade?
  Regards
  Gunter

  Hello Gunter-
  You should have not lost/locked the admin account due to the upgrade. Nonetheless, you will have to follow the CLI password recovery procedure:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_postins.html#pgfId-1189908
  Thank you for rating helpful posts!

• ISE Upgrade File Copy Error

  According to the Upgrade Guidelines for 1.2:
  Copy the upgrade bundle to the local disk using the copy command from the Cisco ISE CLI: copyftp-filepath ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk:/   Again, after you copy the upgrade bundle to the local disk, check to  ensure that the size of the upgrade bundle in your local disk is the  same as it is in the repository. Use the dir command to verify the size of the upgrade bundle in the local disk.
  When I attempt to run this command, I keep getting the error:
  "% long command detected at '^' marker"
  using the following command:
  " copy repository FTPDPZ ise-patchbundle-1.2.0.899-1-82500.x86_64.tar.gz"
  I have also tried to replace the repository + name with an IP address, with just the repository name, and with 100 other things.
  I tried to look up what a "long command" is, but I come up with nothing.
  What is the proper verbage to utilize this command?

  David,
  It figures, doesn't it?  No worries.  The repository system is a confusing one, but it is what we have.  I have found detailed instructions on using it, but they are for the Cisco Prime LMS product.  The process is the same (I used these unstructions when doing my ISE 1.2 Upgrade), just substitute file names as necessary.
  Step 1 Log into the shell and navigate to the location where the upgrade file, lms4_2_3_lnx_k9.zip is stored.
  myhost/admin# shell
  starting shell...
  [myhost/ root-ade ~]
  Note The  login name that appears in the command prompt depends on the login name  entered by the user while installing LMS on VM Console.
  Step 2 Unzip the lms4_2_3_lnx_k9.zip file to extract Cisco_Prime_LAN_Management_Solution_4_2_3.tar.gz.
  [myhost/ root-ade myloc] unzip lms4_2_2_lnx_k9.zip
  Step 3 Copy the Cisco_Prime_LAN_Management_Solution_4_2_3.tar.gz to local disk partition of LMS 4.2.2 installed server (/localdisk).
  Step 4 Log in with your credentials to the VM Console through Vsphere client.
  Step 5 Create either a local or remote repository. A repository contains URL and credential details
  myhost/admin# configure terminal
  myhost/admin(config)# repository <>
  myhost/admin(config-Repository)# url ?
    Enter repository URL, including server and path info (Max Size - 80)
  cdrom:  Local CD-ROM drive (read only)
  disk:   Local storage
  ftp:    URL using a FTP server
  http:   URL using a HTTP server (read only)
  https:  URL using a HTTPS server (read only)
  nfs:    URL using a NFS server
  sftp:   URL using a SFTP server
  tftp:   URL using a TFTP server
  Step 6 Combine the URL to the repository that uses a local or remote storage.
  a. The following IOS CLI shows how to combine the URL to a repository that uses a local storage:
  myhost/admin(config-Repository)# url disk:
  myhost/admin(config-Repository)# exit
  myhost/admin(config)# exit
  myhost/admin# write mem
  Generating configuration...
  myhost/admin#
  b. The following IOS CLI shows how to combine the URL to a repository that uses an anonymous FTP server:
  myhost/admin(config-Repository)# url ftp://<>
  myhost/admin(config-Repository)# user <> password plain <>
  myhost/admin(config-Repository)# exit
  myhost/admin(config)# exit
  myhost/admin# write mem
  Generating configuration...
  myhost/admin#
  You can use the above mentioned steps for other protocols.
  Step 7 Run the below command in the VM console in VSphere client.
  myhost/admin# application upgrade Cisco_Prime_LAN_Management_Solution_4_2_3.tar.gz <>
  Save the ADE-OS running configuration? (yes/no) [yes]?
  Step 8 Press Enter to continue with LMS 4.2.3 upgrade.
  An Application upgrade successful message appears.
  Here is the doc that contains these instructions:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2.3/release/notes/lms4_2_3_release_notes.html#wp1183869

• Cisco ISE- Upgrade

  i AM USING ise 3315 WITH 1.1.3 CAN I DIRECTLY UPDATE TO ise 1.2

  ISE 1.2 is now delayed and is not shipping yet.  We will let you know when it ships. SNS Appliance with 1.2 software will not be available until end of August.  Until then, you must order SNS appliance with 1.1.4 and then manually upgrade it to 1.2.  Existing customers with existing appliances can download 1.2 from the CCO Software Download page

• ISE upgrade failing with "% Manifest file not found in the bundle"

  Hello
  I am trying to upgrade a brand new ISE 3395 from 1.0.3.337 to 1.0.4 (latest).  It keeps failing with
  % Manifest file not found in the bundle
  Here is the output:
  company-ise-01/admin# application upgrade ise-appbundle-1.0.4.573.i386.tar.gpg ftp
  Save the current ADE-OS running configuration? (yes/no) [yes] ?
  Generating configuration...
  Saved the ADE-OS running configuration to startup successfully
  Initiating Application Upgrade...
  % Manifest file not found in the bundle
  fusd-ise-01/admin# sh application version ise
  Cisco Identity Services Engine
  Version      : 1.0.3.377
  Build Date   : Fri May  6 19:30:37 2011
  Install Date : Wed Oct 12 22:18:26 2011
  I can't find anything about this for ISE, although there are a lot of topics for the same error for ACS.  Thanks in advance.
  Saro

  Same problem with 1.1.2 and 1.1.1 patch 5:
  ISEcdemo/admin# sh ver
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.4.018
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ISEcdemo
  Version information of installed applications
  Cisco Identity Services Engine
  Version      : 1.1.1.268
  Build Date   : Mon Jun 25 05:49:23 2012
  Install Date : Wed Sep 12 09:12:53 2012
  Cisco Identity Services Engine Patch
  Version      : 1
  Install Date : Wed Sep 12 10:01:22 2012
  Cisco Identity Services Engine Patch
  Version      : 2
  Install Date : Wed Sep 12 13:10:36 2012
  Cisco Identity Services Engine Patch
  Version      : 3
  Install Date : Tue Nov 27 12:33:19 2012
  Cisco Identity Services Engine Patch
  Version      : 4
  Install Date : Tue Nov 27 12:52:50 2012
  ISEcdemo/admin# patch install ise-patchbundle-1.1.1.268-5-68046.i386.tar.gz my2
  Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
  Generating configuration...
  Saved the ADE-OS running configuration to startup successfully
  Initiating Application Patch installation...
  % Manifest file not found in the bundle
  ISEcdemo/admin#
  ISEcdemo/admin# application upgrade ise-appbundle-1.1.2.145.i386.tar.gz my2
  Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
  Generating configuration...
  Saved the ADE-OS running configuration to startup successfully
  Initiating Application Upgrade...
  % Manifest file not found in the bundle
  Can someone verify the downloaded file details? They are different from cisco.com values:
  -bash-4.1$ /usr/bin/md5sum.exe /cygdrive/c/munka-unenc/tftp/ise-appbundle-1.1.2.145.i386.tar.gz
  2aa9b75ef5d7c1662a1a51844f178b77 */cygdrive/c/munka-unenc/tftp/ise-appbundle-1.1.2.145.i386.tar.gz
  -bash-4.1$ /usr/bin/ls -lAp /cygdrive/c/munka-unenc/tftp/ise-appbundle-1.1.2.145.i386.tar.gz
  -rwx------+ 1 Administrators Domain Users 1583851520 Nov 29 00:14 /cygdrive/c/munka-unenc/tftp/ise-appbundle-1.1.2.145.i386.tar.gz

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• CIsco ISE 1.2 to 1.3 upgrade

  I am planning for an ISE upgrade from version 1.2 to 1.3. I have two nodes (primary admin, secondary monitoring (ISE 3355) in one box and secondary admin, primary monitoring in the other (3315).) and 8 PSNs (all 3315).
  My question is after upgrading when we are testing for failover of the HA pairs in both the nodes…are we going to face any technical complications because of the different model numbers. All nodes (2 +8= 10) are in different locations.

  You must first upgrade the secondary Administration node to Release 1.3. For example, if you have a deployment set up as shown in the following figure, with one primary Administration node (node A), one secondary Administration node (node B), one Inline Posture node (IPN) (node C), and four Policy Service nodes (PSNs) (node D, node E, node F, and node G), one primary Monitoring node ( node H), and one secondary Monitoring node (node I), you can proceed with the following upgrade procedure.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_chapter_01.html#ID20
  Before You Begin : http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/upgrade_guide/b_ise_upgrade_guide_13/b_ise_upgrade_guide_13_chapter_011.html

• File transfer problem during ISE 1.3 upgrade

  We have problem running the upgrade command:
  iseadm01/admin# application upgrade cleanup
  Application upgrade preparation directory cleanup successful
  iseadm01/admin# application upgrade prepare ise-upgradebundle-1.2.x-to-1.3.0.876.x86_64.tar.gz FTP
  Getting bundle to local machine...
  % File transfer error
  iseadm01/admin#
  The sniffertrace shows that the ISE 1.2 is sending TCP RST after about 30MB file transfer. If we run the command serveral times, it stops exactly after the same amount of transferred bytes.
  The disk utilazation looks OK:
  iseadm01/admin# dir
  Directory of disk:/
        16384 Sep 18 2014 15:55:48  lost+found/
             Usage for disk: filesystem
                    172761088 bytes total used
                  14275047424 bytes free
                  15234142208 bytes available
  iseadm01/admin#
  iseadm01/admin# dir
  Directory of disk:/
        16384 Sep 18 2014 15:55:48  lost+found/
             Usage for disk: filesystem
                    172761088 bytes total used
                  14275047424 bytes free
                  15234142208 bytes available
  iseadm01/admin#
  We have Another ISE (monitor node) and the problem is excact the same on that node.
  Thanks

  On FileZila click on the User Accounts Icon. The dialog box will show you  defined users. By default only anonymous is created.
  So you need to create a local ftp username and passowrd. Then assign it a home directory under shared folders. This will be the dfault location a remote clietn will look for files and where you would find the ISE upgrade package, for example.
  See following screenshot....

• ISE guest self service question

  Hi experts
  Is there any way to implement this scenario on ise 1.2.1:
  guest registers himself on the portal and either selects or enters sponsor details
  sponsor gets notified by mail and can approve or deny
  guest gets a sms text message with password and can use the guest wlan
  Grateful for any hint
  Cheers
  Albert

  No,  to enable SMS messaging, you need to be running v1.3.
  Good news, though.  With a current Service Agreement, ISE upgrades are free.  If you can schedule downtime, you can upgrade from 1.2.1 to 1.3 without stress.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton