ModernCyber Blog

New ISE Split Upgrade Process

Written by Tina Cline | Aug 22, 2024 12:20:25 AM

 ISE upgrades can be complex and time-consuming, prompting many customers to decide to postpone or push out upgrades.

Considering the plethora of new features in ISE 3.0 and above – Upgraded GUI, PxGrid Direct, Agentless Posture, and AI/ML profiling, to name a few - Those who choose to delay upgrades could miss out on valuable new features by not upgrading to a more current ISE release.

The ISE Split Upgrade process allows customers to upgrade their ISE deployment while minimizing downtime and disruption to the network, which makes them especially beneficial in distributed deployment environments.


Prior to ISE 3.2 p3, customers had the option to perform Split Upgrades, however, these could take up to 24-hours to complete, including a multi-step and sequential (per-node) process to upgrade.

One of the steps in the previous split upgrade process required the deployment of the Upgrade Readiness Tool (URT) , which is a downloadable bundle that helps to identify and fix configuration data upgrade issues before initializing the upgrade process.

 The URT would perform checks such as, but limited to:

  • Version compatibility
  • Persona Checks
  • Disk Space
  • NTP Service
  • Memory
  • System Data
  • Trusted Cert Validation

From there, URT could identify, report and/ or remediate issues. Deploying the URT could take up to 4 hours per node, making it a time-consuming process.

The former ISE Split Upgrade Method included other caveats, such as:

  • Recommended 4 max nodes per iteration
  • Patch installation was completed on a per-node basis
  • Didn’t include automated pre-checks, staging or post-upgrade checks (more on these later)

The new Split Upgrade flow reduces the upgrade time and failure points during the upgrade process by allowing admins to upgrade in batches, with an increase in the recommended nodes per iteration from 4 to 15 nodes. Additionally, upgrades can be accomplished much quicker than the old split upgrade method, taking around 7 hours or less for a 2-batch upgrade.

Pre-checks are also automated in the GUI and are more thorough, moving the URT to an optional step in the new process.

Lastly, patches can be installed during the upgrade, and the new method allows for Staging capabilities as well as Pre and Post-Upgrade checks.

Let’s dive into a few of these features:

Pre-Checks:

Once you’ve selected the nodes for each batch in your iteration, you will initiate pre-checks via the ISE GUI, which will review or check for various services, such as, but not limited to:

  • Whether there is a repository available for all nodes
  • Download and prepare the upgrade bundle for all nodes
  • Memory 
  • Download the patch bundle for selected nodes
  • Validating that PAN HA is enabled
  • If a config backup was done recently prior to running the upgrade process
  • Configuration data upgrade
  • Services or process failures
  • Platform support check
  • Deployment Validation
  • And many more checks

 

 

 

Staging:

Staging is the process of copying an upgrade database file to all nodes in the deployment. This step helps to minimize downtime and allows the user to upgrade their deployment while keeping services available.

Post-Upgrade Validation:

Something to note is that all nodes in each iteration are upgraded in parallel. The upgrade progress for each individual node, as well as the overall upgrade progress of the entire iteration, can both be viewed via the Primary PAN.

Post-Upgrade validation confirms the health of the ISE deployment after the upgrade via System Health Checks to ensure all nodes are operating correctly and that services are running without any issues.

Post-upgrade validation can also perform authentication tests to confirm that network access and policies are functioning as expected.

Lastly, system logs will be reviewed for any warnings or errors that may need attention.

With ISE’s New Split Upgrade process, customers can experience an accelerated and more streamlined way to upgrade their ISE deployment without service interruption.

For more information on how ModernCyber can help to maximize your current ISE deployment, please check out some of our new offerings!

New ISE Services: ISE Express Health Assessment

ISE Deployment Services: ISE Deployment Services