ASA HA upgrade procedure

Similar Messages

• ASA-SM Upgrade

  Dears,
  what precaution I have to take before upgrade,
  I am upgrading ASA-SM image 8.5.1 to 9.1(2) and then 9.3(1) .And for ASDM direct upgrade from 6.5 to 7.3.
  I have to upload both the images in Disk0 as per the link below  it is showing in Disk0?? but below show version doesn't show up asdm image in disk0
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/upgrade/upgrade93.html#pgfId-52066
  sh version
  Cisco Adaptive Security Appliance Software Version 8.5(1)
  Device Manager Version 6.5(1)
  Compiled on Tue 03-May-11 14:21 MDT by builders
  System image file is "disk0:/asa851-smp-k8.bin"
  Config file at boot was "startup-config"
  FWSM up 5 mins 11 secs
  failover cluster up 5 mins 11 secs
  Hardware:   WS-SVC-ASA-SM1, 23552 MB RAM, CPU Xeon 5600 series 2000 MHz
              2 CPUs, 24 cores
  Internal ATA Compact Flash, 8192MB
  BIOS Flash M25P32 @ 0x0, 64KB
  Thanks

  Dear Experts,
  I am using SUP2T with the following IOS, do i need to upgrade the FPD, how i will know that i need to upgrade
  the commands output are form the 6509 switch.
  sh run | in boot
  boot-start-marker
  boot system flash bootdisk:
  boot-end-marker
  diagnostic bootup level minimal
  dir from  the 6509 switch.
  Directory of bootdisk:/
      1  -rw-    33554432  Aug 14 2014 14:24:14 +04:00  sea_console.dat
      2  -rw-   113733048  Aug 14 2014 14:31:08 +04:00  s2t54-ipservicesk9-mz.SPA.151-2.SY2.bin
      3  -rw-    33554432  Aug 14 2014 14:26:52 +04:00  sea_log.dat
      4  -rw-       25832  Oct 31 2014 13:20:30 +04:00  startup-config.converted_vs-20141031-092028
  Still I have not installed ASA-SM in the switch the day of migration i will install the ASA-SM, how i will know that i have to upgrade the FPD ??? and what actually it is helping for ASA-SM ,??? i hope compatibility is perfect between 15.1 switch version and asa-sm 9.3.???
  I have a separate chassis (test scenario) with me i will upgrade the asa, and asdm image so i can upload the fpd image also if you experts give me confirmation for the fpd.
  S1#sh hw-module switch 1 all fpd
  % No cards with FPD support can be found in the indicated chassis or Not in VSS mode.
  Thanks

• Upgrade procedure from 4.6c to ECC 6.0

  Hi
  I had gone through SAP solution browser tool and observed the differences for 4.6C and 6.0
  Can u please let me know How to start and end  the upgrade project i.e sequence of activities.
  1) should the configuration be done in ECC 6.0 same as 4.6C?
  2)master data upload?
  3)Z-objects movement from 4.6C to 6.0....?
  4)Open PO's and stock upload......in ECC 6.0 ?
  5) what are the precautions to be taken before Go-live?
  Please send any links for upgrade procedure from 4.6C to 6.0 i.e sequence of activities.........
  Thanking you
  Deepak

  Hi,
  About your questions:
  1) should the configuration be done in ECC 6.0 same as 4.6C?
  The configuration (if you mean how the system is configured from the Basis point of view) will be almost the same as you had in 4.6C. Of course you will find new aspects you don't have in the old version (for example the integrated ITS, ICM, etc.), but you will have the system running after the upgrade.
  2)master data upload?
  Master data will be adapted to new version during the upgrade. Unless you need fresh data, you won't need to reload master data.
  3)Z-objects movement from 4.6C to 6.0....?
  Z objects are not touched by the upgrade process. It's your responsibility to keep them running after the upgrade.
  4)Open PO's and stock upload......in ECC 6.0 ?
  Same as question 2). Business data remains in the system after the upgrade.
  5) what are the precautions to be taken before Go-live?
  It is recommended to carry out functional tests, as well as connection tests with external interfaces. In any case, you shouldn't take any special precaution, at least not so different from those you would take in a normal installation.
  Regards
  Francisco

• What is the upgradation procedure

  In orion we have autoupdate.jar which gives seemless update of the server. Is there any such functionality with OC4J?

  Hi,
  the autoupdater.jar is Orion specific and has been removed from OC4J. My best guess is that the upgrade of OC4J will follow the normal upgrade procedure for Oracle products.
  //Andy

• Recommended Solaris package upgrade procedure

  We would like to know the recommended Application Package upgrade procedure. We followed the procedure as defined in the Application Packaging Developer's Guide.
  Currently we followed the following procedure during upgrade:
  1. Check if old version is available.
  2. If it is available execute the pkgrm command to remove the old package as indicated in the Application Packaging Developer's Guide. But since the package names are same and we are executing the pkgrm command from the preinstall script, in some systems it's not allowing to remove the old package since it's executed from pkgadd command scope. The following error message is displayed while package verifying step is executed
  [ verifying class <none> ]
  pkgadd: ERROR: missing entry in contents file for </opt/XXXXxxxx/jre>
  3. We cannot manually remove the old package first since it will completely wipe out the file. We need to migrate some of the files from old release to new. So we need the old files during upgrade.
  Please suggest a suitable procedure to handle this.
  Some more details about the OS:
  1. uname -a
  SunOS rduipv6 5.10 Generic_142900-03 sun4u sparc SUNW,UltraAX-i2 Solaris

  Hi.
  I can't say how Oracle recomend. But I see that for update main part of Sun Product used two ways:
  1) Documentation say that user should remove all previos version of product by hand.
  2) Used extarnal installation tool that do it automaticaly, but not as part package installation script (pre/postinstall ).
  Regards.

• Photoshop upgrade procedure

  I've been moaning about this since photoshop 6 days.  Why is there no automatic upgrade procedure in the photoshop installer?
  WOuld it bee too difficult for the installer to ask you whether you wanted to import brushes, gradients, patterns, actions, presets, workspaces...?
  If there is a quick way of doing this other than using the presets manager, I'm all ears.
  (ditto: illustrator, indesign).  If dreamweaver can do it...

  That's a bit extreme.  Photoshop CS5 is actually VERY compatible with actions from past versions.
  -Noel

• GSS OS upgradation procedure

  Hi,
  Could any one send the document for GSS os upgradation procedure.

  Take a look here:
  GSS - Upgrade Instructions:
  http://tools.cisco.com/squish/f8f0B
  GSS - 3.1(x) Release Notes
  http://tools.cisco.com/squish/0b60c
  GSS Software Download Site:
  http://tools.cisco.com/squish/7b4337
  Joel Lamousnery
  TAC Customer Support Engineer

• Upgradation procedure for ALE/IDOCS

  Can anyone  let me know what is the upgradation procedure for ALE/IDOCS and what are the steps needs to be checked  out during technical remediation part of version upgrade(lower version to ECC6.0)?

  IDocs are backwards compatible, so I don't think you need any special procedures for them, just a regular test, to make sure everything stull works fine. If you've had extended any standard IDocs, that part will need to be reviewed, as any other custom development.
  However, there might be a newer version of the IDoc type available in ECC 6.0, which you didn't have in the previous release. You might want to see if there would be any benefits in switching to the newer version.
  I'm sure you'll find all the information on the Upgrade page on SAP's [web site|http://service.sap.com/upgrade]. Also there is an SAP Press book on the subject.

• NM-CE-20 Content module - upgrade procedure and ftp help

  Our netmodule has been successfully installed and working. Its currently running 4.2.3 and we would like to upgrade it the latest 5.1.9.5 rev. I cannot find a working procedure for doing this. When I attempt to ftp into the module's IP I get a error stating it can't set guest priviledges. When telneting into the module and doing a "DIR" I get: nothing. Anyone help me out? Is upgrading to the 5.x supported?
  Brian

  To see if the version you want is supported with this hardware, check the release note
  http://www.cisco.com/en/US/products/sw/conntsw/ps491/prod_release_note09186a00802664f0.html#wp107167
  Looks like the 20G module is not listed.
  However it is supported in 5.0.15
  http://www.cisco.com/en/US/products/sw/conntsw/ps491/prod_release_note09186a0080234dcc.html#wp42371
  The upgrade procedure is the same for any ACNS device.
  So, follow the procedure described at :
  http://www.cisco.com/en/US/products/sw/conntsw/ps491/products_configuration_guide_chapter09186a0080131e84.html#1041204
  Regards,
  Gilles.

• ASA CX5545 Upgrade Procdures

  I need to upgrade my ASA 5545-x, I have updated to latest code and now I am attempting upgrade the the CX Module so that I can update the PRSM software.

  In your particular case the 9.2(1.4) your CX module is running is the latest release (as of this posting date) even though it is not the highest number (version 9.3(1.1) build 112 was actually released earlier).
  Generally speaking though one upgrades the CX module via the PRSM GUI. You can do it via the cli; but the GUI is much easier as it allows you to drag and drop the upgrade package directly into the GUI to transfer the image.
  Here's a link to the procedure.

• ASA 5520 Upgrade From 8.2 to 9.1

  To All Pro's Out There,
  I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
  In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
  I appreciate all the help in advance.

  Hi,
  My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
  In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
  What you can basically do is
  Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
  You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
  So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
  If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
  If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
  https://supportforums.cisco.com/docs/DOC-31116
  My personal approach when starting to convert NAT configurations for the upgrade is
  Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
  Divide NAT configurations based on type   
  Dynamic NAT/PAT
  Static NAT
  Static PAT
  NAT0
  All Policy Dynamic/Static NAT/PAT
  Learn the basic configuration format for each type of NAT configuration
  Start by converting the easiest NAT configurations   
  Dynamic NAT/PAT
  Static NAT/PAT
  Next convert the NAT0 configurations
  And finally go through the Policy NAT/PAT configurations
  Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
  The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
  One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
  For example
  static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
  Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
  So to summarize
  Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
  Learn the new NAT configuration format
  Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
  Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
  Convert the configurations manually
  Lab/test the configurations on an test ASA
  During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
  Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
  Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
  Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
  Will add more later if anything comes to mind as its getting quite late here
  Hope this helps
  - Jouni

• ASA Firewall Upgrade from 8.2,8.4, to 9.0

  Dear All ,
  we have five firewalls with the following details:
  First Firewall
  Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
      my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
  Second Firewall
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version
  6.2(3)  
    my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
  Third Firewall
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
    my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
  Fourth Firewall
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
    my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
  fifth Firewall:
  Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version 6.2(3)
    my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
  please help i am doing the upgrading remotely using the ASDM and i don't want to do any upgrade could result disconnectivity.
  Best regards

  Hi Basel,
  Honestly, I wouldn't suggest a direct upgrade from 8.2 to 9.0. This is a *major* upgrade. The recommended path to reach 9.0 would be from 8.2-->8.4-->9.0
  Here are the release notes for 9.0:
  http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp690047
  Per above document:
  If you are upgrading from a pre-8.3 release, see also the Cisco ASA 5500 Migration Guide to Version 8.3 and Later
  for important information about migrating your configuration.
  Once you are on 8.3/8.4 (I would suggest 8.4 as a lot of issues were fixed post 8.3 as that was a huge transition from 8.2) upgrade to 9.0 is fairly simple.
  Major part is upgrade from 8.2 to 8.4 as configuration changes and few things can be broken as a result. I would highly recommend you to check these docs before attempting an upgrade and also do it with some maintenence window so as to correct things in case they broke:
  Following doc talks about 8.3 but it is applicable to direct upgrade to 8.4 as well:
  https://supportforums.cisco.com/docs/DOC-12690
  Release notes for 8.4:
  http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
  Sourav

• ASA 5520 upgrade from 8.4.6 to 9.1.2

  Dear All,
    I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
  Below is the process :
  Upgrade an Active/Standby Failover Configuration
  Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
  Download the new software to both units, and specify the new image to           load with the boot system command.
  Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
  Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
  active#failover reload-standby
  When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
  active#no failover active
  Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
  Reload the former active unit (now the new standby unit) by entering           the reload command:
  newstandby#reload
  When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
  newstandby#failover active
  This completes the process of upgrading an Active/Standby Failover       pair.
  Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 ) 
  It is mentioned on cisco site that
  Major Release
  —You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release. 

  Hi Tushar,
  The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
  Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
  http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
  - Prateek Verma

• Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

  Need help from ISE experts/gurus in this forum.
  Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) .  This leaves me no choice but to upgrade to version 1.2.0.899-2-85601. 
  Scenario: 
  - 4 nodes in the environment running ISE version 1.1.2.145 patch 3
  - node 1 is Primary Admin and Secondary Monitoring - hostname is node1
  - node 2 is Secondary Admin and Primary Monitoring - hostname is node2
  - node 3 is Policy service node - hostname is node3
  - node 4 is Policy service node - hostname is node4
  Objective:  Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
  My understand  is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
  to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
  upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601. 
  Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
  I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
  I am trying to get a definite answer from Cisco TAC but it seems like they don't know either. 
  Question #1:  How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
  step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply ISE 1.1.2.145 patch 10
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
  Propose solution:
  step #1:  Make ISE node1 the Primary Admin and Primary monitoring.  At this point ISE node2 will become Secondary Admin and Secondary Monitoring
  step #2:  Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>".  Once ISE node2 upgrade is completed, it will
            form a new ISE 1.2 cluster independent of the old cluster,
  step #3:  Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
  step #4:  Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>".  After the upgrade the ISE
            Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
  step #5:  At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
  step #6:  Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
  step #7:  Perform the upgrade on the ISE node1 from command line  "application upgrade <app-bundle> <repository>"
  step #8:  Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
  step #9:  Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
  Question #3:  How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
  Propose solution: 
  step #1: make ISE node1 to be both Primary Admin and Primary monitoring.  ISE node2 is now Secondary Admin and Secondary Monitoring. 
           Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
  step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring.  At this point, apply 1.2.0.899-2-85601
           to ISE node1 via the GUI,
  step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
  step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3.  Once that is completed, verify that node2 is working and accepting traffics,
  step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4.  Once that is completed, verify that node2 is working and accepting traffics,
  does these steps make sense to you?
  Thanks in advance.

  David,
  A few answers to your questions -
  Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
  https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
  You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
  Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
  I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
  I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
  I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
  Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
  Once the restore finished, I then restored the certificate and picked one of the PSNs
  backup the cert,
  Had the AD join user account handy
  reset-db,
  and run the upgrade script.
  Once that is done I then restore the cert
  Join the PSN to the new deployment
  Join both nodes to AD through primary admin node
  Monitor for a few days (seperate consoles to make sure everything runs smooth)
  If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
  Thanks and I hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• [asr9k cluster upgrade procedure]

  Dear CSC (and hopefully Xander):
  What is the proper way of upgrading an asr9k cluster?
  Do i have to break the cluster and upgrade both 9ks separately? then rebuild the cluster?
  Or you just treat the cluster as one box and when you upgrade one of them, both are upgraded simultaneously?
  (is there a document that describes this procedure for a cluster specifically?)
  Thanks in advance!
  c.    

  Hello Carlos,
  you can proceed with the following Cisco's recommendations thanks to Lenin Pedu:
  https://supportforums.cisco.com/docs/DOC-34114#13_Cluster_RackByRack_Upgrade_
  HTH,
  Michel.