Cisco ISE - Upgrading

KB ID 0001071

Problem

Just as I was hunting around for an NFR version of Cisco ISE 1.3, they released 1.4. I wasn’t sure if I could upgrade my NFR version without breaking it so I thought I would ‘have a go’.

Solution

If you read the documentation for the upgrade of 1.2 to 1.4, I suggest you skip straight to the tasks to do AFTER upgrade, as it has a habit of resetting things back to default, best to make sure you know how everything is setup that might break before you start.

This upgrade took me a long time! The best part of an afternoon!

1. Before we do anything let’s take a snapshot, just in case it all goes to hell in a hand cart.

2. Gotcha! The upgrade fails if you have any expired certificates, even disabling them wont help, you need to delete all expired root certs before you start.

3. Copy the upgrade file from an FTP server to the ISE device, it wont show you any progress bar, go and get a coffee, if it does not error it’s probably copying over OK :).

4. When you get the prompt back you can check it’s there with a ‘dir’ command.

5. Before you can upgrade you need to create a repository for the upgrade;

ISE-01/admin# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ISE-01(config)# repository upgrade
ISE-01(config-Repository)# url disk:
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes.
If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ISE-01(config-Repository)# exit
ISE-01(config)# exit

6. Then you need to ‘prepare’ for the upgrade.

ISE-01/admin# application upgrade prepare ise-upgradebundle-1.2.x-to-1.4.0.253.x86_64.tar.gz upgrade
Getting bundle to local machine...
md5: 35a159416afd0900c9da7b3dc6c72043
sha256: e3358ca424d977af67f8bb2bb3574b3e559ce9578d2f36c44cd8ba9e6dddfefd
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y