Upgrading Cisco ISE

Cisco Identity Services Engine (ISE) supports application upgrades only from the command-line Interface
(CLI). You can upgrade Cisco ISE from any previous release to the next release. A previous release can
have patches installed on it, or it can be any maintenance release.
Instructions for Upgrading to Cisco ISE, Release 1.2.1, page 1
Important Notes To Read Before You Upgrade, page 2
Obtain a Backup Before Upgrade to Prevent Any Data Loss, page 5
Cisco ISE 1.2 Upgrade Process, page 9
Cisco ISE 1.2 Supported Upgrade Paths, page 10
Downloading the Upgrade Software, page 10
Upgrade CLI Command, page 11
Upgrade Methods for Different Types of Deployments, page 11
Verifying the Upgrade Process, page 12
Post-Upgrade Tasks, page 12
Known Upgrade Issues, page 13

Instructions for Upgrading to Cisco ISE, Release 1.2.1

You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:
Cisco ISE, Release 1.1.0.665 with patch 5 or later
Cisco ISE, Release 1.1.1.268 with patch 7 or later
Cisco ISE, Release 1.1.2 with patch 10 or later
Cisco ISE, Release 1.1.3 with patch 11 or later
Cisco ISE, Release 1.1.4 with patch 11 or later
Cisco ISE, Release 1.2.0.899 with patch 8 or later

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

Upgrading Cisco ISE

Important Notes To Read Before You Upgrade

The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twice
when you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but only
once when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.
The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options.
You can use:
CleanupTo clean a previously prepared upgrade bundle on a node locally. You can use this option
if:
The application upgrade prepare command was interrupted for some reason
The application upgrade prepare command was run with an incorrect upgrade bundle
The upgrade failed for some reason
PrepareTo download and extract an upgrade bundle locally. You can use this command followed by
the application upgrade proceed command.
ProceedTo upgrade Cisco ISE using the upgrade bundle you extracted with the prepare option. You
can use this option after preparing an upgrade bundle instead of using the application upgrade
ise-upgradebundle-1.2-to-1.2.1.xxx.i386.tar.gz remote-repository command.
If upgrade is successful, this option removes the upgrade bundle.
If upgrade fails for any reason, this option retains the upgrade bundle.

Important Notes To Read Before You Upgrade

Ensure that you do not accidently delete system default sponsor groups and sponsor group policies when
you upgrade Cisco ISE, Release 1.0.4.573 to higher versions (for example, Cisco ISE, Release 1.1, 1.1.x,
and 1.2) or restore from the Cisco ISE, Release 1.0.4.573 backup to higher versions. Upgrade fails, if
system default sponsor groups and sponsor group policies are missing in Cisco ISE.
Ensure that you uncheck the Disable user account after <60> days if password was not changed (valid
range 1 to 3650) option here: Administration > Identity Management > Setttings > User Password
Policy page. Users are disabled, if the password expires after the default setting (60 days) when you
upgrade to Cisco ISE, Release 1.2 and restore the Cisco ISE, Release 1.1.x backup.
You can upgrade only Administration, Policy Service, and Monitoring nodes. Upgrades are not supported
for Inline Posture Nodes (IPNs). For IPNs, you must reimage your appliance and perform a fresh
installation.
We strongly recommend that you copy the upgrade bundle to a local repository on all the nodes. Having
the upgrade bundle in the local repository significantly reduces the time it takes to download it from the
network during the upgrade process.
1 Create a local repository for disk:/ from the Cisco ISE UI.
2 Copy the upgrade bundle to the local disk using the copy command from the Cisco ISE CLI: copy
ftp-filepath ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk:/
Again, after you copy the upgrade bundle to the local disk, check to ensure that the size of the upgrade
bundle in your local disk is the same as it is in the repository. Use the dir command to verify the
size of the upgrade bundle in the local disk.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

2

OL-27087-01

Upgrading Cisco ISE

Firewall Ports That Must be Open for Communication

Verify the MD5sum of the upgrade bundle. After you download the upgrade bundle to a repository such
as FTP or SFTP, check and verify that the MD5sum is correct. You can use the md5sum command in
Linux or the md5 command in MAC OSX.
Ensure that you have read the VMware Virtual Machine Settings, on page 4 section if you are upgrading
Cisco ISE on a virtual machine. These recommendations are useful when you choose to reimage some
nodes, in case of replacing nodes with new VMs or appliances and also if there are any secondary node
upgrade failures where remediation is not possible.

Firewall Ports That Must be Open for Communication

If you have a firewall deployed between your primary Administration node and any other node, the following
ports must be open before you upgrade:
TCP 1528For communication between the primary administration node and monitoring nodes.
TCP 443For communication between the primary administration node and all other secondary nodes.
TCP 12001For global cluster replication.
TCP 7800 and 7802(Applicable only if the policy service nodes are part of a node group) For PSN
group clustering.
For a full list of ports that Cisco ISE uses, see the Cisco Identity Services Engine Hardware Installation Guide.

Other Preupgrade Considerations

Read the following information carefully, and record these configurations (back up, export, obtain screenshots)
wherever possible before you begin an upgrade:
Read the Data Restoration Guidelines from the Cisco Identity Services Engine User Guide, Release 1.2
before you restore data on your newly upgraded node.
Perform a backup of Cisco ISE configuration data from the primary Administration node, which includes
the Cisco Application Deployment Engine (ADE) configuration data.
Perform a backup of the Cisco ISE operational data from the primary Monitoring node.
Export the certificates, including the private key, from all the nodes in the deployment and save them
in a local system. Ensure that the Common Name (CN) or SAN in the HTTPS and EAP certificates for
each of your Cisco ISE node matches the Fully Qualified Domain Name of that node.
Obtain a backup of the running configuration using the copy running-config destinationcommand from
the Cisco ISE CLI, where destination is a url such as ftp, sftp, or disk:
Ensure that you have the Active Directory credentials if you are using Active Directory as your external
identity source. After an upgrade, you might lose Active Directory connections. If this happens, you
must rejoin Cisco ISE with Active Directory.
Export the default profiler policies to a file and import them after an upgrade if you have edited and
customized the default profiler policies. The upgrade process overwrites the default profiler policies.
Record the customization that you have done to the default language templates. After upgrade, you must
edit the default language templates if you have customized them in the old deployment.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

Upgrading Cisco ISE

VMware Virtual Machine Settings

Record the alarm, e-mail settings, report customization, favorite reports, monitoring data backup schedules,
and data purge settings. You must reconfigure these settings after upgrade.
Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable them
after upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled and
onboarded again.
Record the SNMP profiler probe settings. You must reconfigure the profiler SNMP polling from the
primary Administration node after upgrade if you are using it for profiling.
Disable the console timeout temporarily from the Cisco ISE CLI for remote upgrades. Use the following
command from the Cisco ISE CLI: terminal session-timeout 0. After you disable the console timeout,
log out and log in to the Cisco ISE CLI. After upgrade is complete, ensure that the terminal session
timeout is set to its original value. The default value is 30 minutes.
We strongly recommend that you delay any deployment configuration changes such as changing node
personas, system synchronization, and node registration or deregistration until all the nodes in your
deployment are completely upgraded. One exception to this recommendation, however, involves steps
that are required to recover from a failed upgrade.
The Monitoring node's database size is reduced after you upgrade to Release 1.2 because of database
design and schema changes in Release 1.2, which optimizes disk space utilization and offers better
performance.
The upgrade process from Cisco ISE 1.1.x to 1.2 includes the operating system and application binary
upgrade from a 32-bit to a 64-bit system. During upgrade, the node is rebooted twice following the
database and operating system upgrade. After the second reboot, the 64-bit application binaries are
installed and the database is migrated to the 64-bit system. During this process, you can monitor the
progress of the upgrade from the CLI using the show application status ise command. The following
message appears: "% NOTICE: Identity Services Engine upgrade is in progress..."
Related Topics
Cisco Identity Services Engine User Guide, Release 1.2
Cisco Identity Services Engine CLI Reference Guide, Release 1.2

VMware Virtual Machine Settings

If you are upgrading nodes on virtual machines, ensure that you read the following statements carefully. You
should make these changes before you upgrade to Release 1.2.

Note

You must power down the virtual machine before you make the following changes, and power it back on
after the changes are done.
Cisco ISE, Release 1.2, is a 64-bit system. Ensure that your virtual machine's hardware is compatible
with 64-bit systems. See the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2
for more information. Enable BIOS settings that are required for 64-bit systems. Refer to the VMware
Knowledge Base for hardware and firmware requirements for 64-bit guest operating systems. After you
upgrade to Release 1.2, choose Linux as the Guest Operating System and Red Hat Enterprise Linux 5
(64-bit) as the version. See the VMware Knowledge Base for more information.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

4

OL-27087-01

Upgrading Cisco ISE

Upgrade Time Estimation

You can also increase the CPU and memory size of the virtual machine. Refer to Cisco Identity Services
Engine Hardware Installation Guide, Release 1.2 for deployment sizing and scaling recommendations
for the SNS 3400 Series appliances. If you increase the disk size of a virtual machine, you cannot upgrade
so you must do a fresh installation of Release 1.2. After you install Release 1.2, you can check the CPU
and memory size using the show inventory command from the Cisco ISE CLI.

Upgrade Time Estimation

Upgrade Time Estimation
The following table provides an estimate of the amount of time it might take to upgrade Cisco ISE nodes.
Actual time taken for upgrade varies depending on a number of factors. Your production network continues
to function without any downtime during the upgrade process. The data presented here is from a deployment
with 25000 users and 250,000 endpoints.
Type of Deployment

Node Persona

Time Taken for Upgrade

Standalone (2000 endpoints)

Administration, Policy Service,

Monitoring

1 hour 20 minutes

Distributed (25,000 users and

250,000 endpoints)

Secondary Administration

2 hours

Monitoring

1.5 hours

Factors That Affect Upgrade Time

Number of endpoints in your network
Number of users and guest users in your network
Profiling service, if enabled

Note

Cisco ISE nodes on virtual machines might take a longer time to upgrade than physical appliances.

Obtain a Backup Before Upgrade to Prevent Any Data Loss

To prevent any data loss, you should perform an on-demand backup of the Cisco ISE Configuration and
Monitoring (operational) data before upgrade.

Performing an On-Demand Backup from the Cisco ISE User Interface

In the Cisco ISE user interface, you can perform an on-demand backup of the primary Administration node.
You must perform a backup of the Cisco ISE application and ADE-OS configuration data and monitoring
(operational) data. For backup and restore operations, the following repository types are not supported:
CD-ROM, HTTP, HTTPS, or TFTP. This is because, these repository types are read-only or the protocol does

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

Upgrading Cisco ISE

Performing an On-Demand Backup from the Cisco ISE User Interface

not support file listing. In a distributed deployment, if the primary Administration and primary Monitoring
personas run on the same node (appliance or virtual machine), then you can use the local repository for the
backup. If they run on separate nodes (appliances or virtual machines), the local repository cannot be used
for the backup. You can use the CLI and GUI to create repositories, but for Cisco ISE, Release 1.2, it is
recommended to use the GUI due to the following reasons:
Repositories that are created through the CLI are saved locally and do not get replicated to the other
deployment nodes. These repositories do not get listed in the repository GUI page.
Repositories that are created on the primary Administration node through the GUI get replicated to the
other deployment nodes.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.
Before you perform this task, you should have a basic understanding of the type of data that can be
backed up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration and
Monitoring data.
Before you perform this task, ensure that you have configured repositories. Refer to Cisco Identity
Services Engine User Guide, Release 1.2 for more details.
When you perform a backup, do not change the role of a node or promote a node. Changing node roles
will shut down all the processes and might cause some inconsistency in data if a backup is running
concurrently. Wait for the backup to complete before you make any node role changes.
Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISE
server startup configuration. You can use this startup configuration when you restore or troubleshoot
your Cisco ISE application from the backup and system logs. For more information about copying the
running configuration to the startup configuration, see the copy command in the Cisco Identity Services
Engine CLI Reference Guide, Release 1.2.

Note

Operational (Monitoring data) backup can be obtained only from the primary and secondary Monitoring
nodes.

Procedure
Step 1
Step 2
Step 3

Log in to the Cisco ISE administrative user interface.

Choose Administration > System > Maintenance.
Choose Data Management > Administration Node > Full Backup On Demand.
Choose Monitoring Node if you want to back up monitoring data.

Step 4
Step 5
Step 6

Enter the values as required to perform a backup.

Click Backup Now.
Verify that the backup completed successfully.
Cisco ISE appends the backup filename with the timestamp and stores this file in the specified repository.
Check if your backup file exists in the repository that you have specified.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

6

OL-27087-01

Upgrading Cisco ISE

Performing a Backup from the Cisco ISE CLI

Performing a Backup from the Cisco ISE CLI

To perform a backup of the Cisco ISE configuration or operational data from the Cisco ISE CLI and place
the backup in a repository, enter the backup command in EXEC mode.

Before You Begin

To perform the following task, you must be a Super Admin or System Admin.
Before you perform this task, you should have a basic understanding of the type of data that can be
backed up in Cisco ISE. You should perform an on-demand backup of the Cisco ISE Configuration and
Monitoring data.
Before you perform this task, ensure that you have configured repositories. Refer to Cisco Identity
Services Engine User Guide, Release 1.1.x for more details.
When you perform a backup, do not change the role of a node or promote a node. Changing node roles
will shut down all the processes and might cause some inconsistency in data if a backup is running
concurrently. Wait for the backup to complete before you make any node role changes.
Copy the running configuration to a safe location, such as a network server, or save it as the Cisco ISE
server startup configuration. You can use this startup configuration when you restore or troubleshoot
Cisco ISE from the backup and system logs. For more information about copying the running configuration
to the startup configuration, see the copy command in Cisco Identity Services Engine CLI Reference
Guide, Release 1.1.x.

Note

Operational backups can be obtained only from the primary and secondary Monitoring nodes.
For backup and restore operations, the following repository types are not supported: CD-ROM, HTTP,
HTTPS, or TFTP. This is because, these repository types are read-only or the protocol does not support
file listings.
In a distributed deployment, if the primary Administration and primary Monitoring personas run on the
same node (appliance or virtual machine), then you can use the local repository for the backup. If they
run on separate nodes (appliances or virtual machines), the local repository cannot be used for the backup.

Procedure
To obtain Cisco ISE configuration data, enter the backup command with the ise-config command operator
parameter in the CLI of the primary Administration node in your old deployment. To obtain Cisco ISE
operational (monitoring and troubleshooting) data, enter the backup command with the ise-operational
command operator parameter in the CLI of the primary or secondary Monitoring node in your old deployment.
CLI command to obtain a Cisco ISE configuration backup.
backup backup-name repository repository-name ise-config encryption-key{hash | plain}
encryption-keyname
CLI command to obtain a Cisco ISE operational backup.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

Upgrading Cisco ISE

Performing a Backup from the Cisco ISE CLI

backup backup-name repository repository-name ise-operational encryption-key{hash | plain}

encryption-keyname
The following table provides the syntax description:
backup-name

Name of the backup file. Supports up to 100

alphanumeric characters.

repository

Specifies the repository to store the backup file.

repository-name

Name and location of the repository where the files

should be backed up to. Supports up to 80
alphanumeric characters.

ise-config

(Optional) Backs up Cisco ISE configuration data

(includes Cisco ISE ADE-OS configuration data).

ise-operational

(Optional) Backs up only Cisco ISE operational

(monitoring and troubleshooting) data. You can only
specify this command operator parameter on the
primary and secondary Monitoring nodes.

encryption-key

Specifies an encryption key to protect the backup.

hash

Specifies a hashed encryption key to protect the

backup.

plain

Specifies a plaintext encryption key to protect the

backup. Specifies an unencrypted plaintext encryption
key that follows. Supports up to 15 characters in
length. for backup.

encryption-key name

Name of the encryption key in hash | plain format.

Supports up to 40 characters for hashed encryption
and 15 characters for plaintext encryption.

The backup command performs a backup of the Cisco ISE and ADE-OS configuration data and monitoring
data and places the backup in a repository with an encrypted (hashed) or unencrypted plaintext password.
You can encrypt and decrypt the backup by using a user-defined encryption key.
ise/admin# backup mybackup repository myrepository ise-config encryption-key plain Lab12345
% Creating backup with timestamped filename: backup-111125-1252.tar.gpg
ise/admin#
ise/admin# backup mybackup repository myrepository ise-operational encryption-key plain
Lab12345
% Creating backup with timestamped filename: backup-111125-1235.tar.gpg
ise/admin#

Related Topics
Cisco Identity Services Engine CLI Reference Guide, Release 1.1.x

Cisco Identity Services Engine Upgrade Guide, Release 1.2

8

OL-27087-01

Upgrading Cisco ISE

Cisco ISE 1.2 Upgrade Process

Cisco ISE 1.2 Upgrade Process

You can upgrade to Cisco ISE, Release 1.2, only from the Cisco ISE command-line interface (CLI). For
instructions on upgrading standalone or two-node deployments, see "Chapter 2, Upgrading Standalone and
Two-Node Deployments to Release 1.2". For instructions on upgrading a distributed deployment, see "Chapter
3, Upgrading a Distributed Deployment to Cisco ISE, Release 1.2".
The upgrade process for a standalone node is different than the one for upgrading nodes in a deployment.
When you run the application upgrade command from the Cisco ISE CLI, the following tasks are performed
in the background in each of the nodes:
1 Downloads the upgrade bundle and extracts it.
2 Performs a backup of the configuration database (for automatic rollback in case of recoverable failures).
3 Upgrades the configuration database or downloads a dump of the upgraded configuration database (in the
case of a standalone node).
4 Upgrades the monitoring database.
5 Upgrades the operating system and application binary files.
6 Migrates the database from a 32-bit to a 64-bit system.
7 After a successful upgrade, prompts the user to log in to Cisco ISE, Release 1.2.
For distributed deployments, the upgrade process follows a Split Deployment model. After you upgrade the
secondary Administration node to the new release, Cisco ISE creates a new deployment. The secondary
Administration node from the old deployment becomes the primary Administration node in the new deployment.
When you upgrade the rest of the nodes in the old deployment, they join the new deployment.
When you upgrade the secondary Administration node from the old deployment, it saves the old deployment
configuration and also notifies the primary Administration node of the upgrade. The primary Administration
node in the old deployment notifies the other nodes about the upgrade. After upgrade, the nodes from the old
deployment join the primary Administration node in the new deployment. The upgrade process retains licenses
and certificates. You do not have to reinstall or reimport them. Cisco ISE, Release 1.2, supports license files
with two-node unique device identifiers (UDIs). You can request for a new license with the UDI of both the
primary and secondary Administration nodes. See the Cisco Identity Services Engine Hardware Installation
Guide for details.

Note

To upgrade to Cisco ISE, Release 1.2, you do not have to deregister the nodes from the deployment and
register them to the new deployment as was the case in previous releases. When you run the application
upgrade command from the CLI, the upgrade software deregisters the node and registers it to the new
deployment automatically.
The upgrade fails if you make any node persona changes in the old deployment after you start the upgrade
on the secondary Administration node.
You must first upgrade the secondary Administration node. Then, upgrade the primary Monitoring node,
followed by the Policy Service nodes and Inline Posture nodes, respectively. Next, upgrade the secondary
Monitoring node (if you have one in your old deployment). Finally, upgrade the primary Administration node
from your old deployment. For Policy Service nodes, the database schema is not upgraded. Instead, the Policy
Service nodes get a copy of the new database from the primary Administration node in the new deployment.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

Upgrading Cisco ISE

Cisco ISE 1.2 Supported Upgrade Paths

Cisco ISE 1.2 Supported Upgrade Paths

You can upgrade to Cisco ISE, Release 1.2, from any of the following releases:
Cisco ISE, Release 1.1.0.665 (or 1.1.0 with the latest patch applied)
Cisco ISE, Release 1.1.1.268 (or 1.1.1 with the latest patch applied)
Cisco ISE, Release 1.1.2, with the latest patch applied
Cisco ISE, Release 1.1.3, with the latest patch applied
Cisco ISE, Release 1.1.4, with the latest patch applied
The following table lists the Cisco ISE versions and what you need to do to upgrade to Cisco ISE, Release
1.2, from those versions.
Table 1: Upgrade Roadmap

From Version

Upgrade Path

Cisco ISE, Release 1.0 or 1.0.x

1 Upgrade to Cisco ISE, Release 1.1.0.

2 Apply the latest patch for Cisco ISE, Release 1.1.0.
3 Upgrade to Cisco ISE, Release 1.2.

Cisco ISE, Release 1.1

1 Apply the latest patch for Cisco ISE, Release 1.1.0.

2 Upgrade to Cisco ISE, Release 1.2.

Cisco ISE, Release 1.1.x

1 Apply the latest patch for Cisco ISE, Release 1.1.x.

2 Upgrade to Cisco ISE, Release 1.2.

Downloading the Upgrade Software

To download the upgrade bundle (ise-upgradebundle-x.x.x.x.i386.tar.gz) from Cisco.com:

Procedure
Command or Action
Step 1

Purpose

Go to http://www.cisco.com/go/ise. You
must already have valid Cisco.com login
credentials to access this link.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

10

OL-27087-01

Upgrading Cisco ISE

Upgrade CLI Command

Command or Action

Purpose

Step 2

Click Download Software for this

Product.

Step 3

Download the upgrade bundle.

Download
ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz
to upgrade from Release 1.1.x to Release 1.2.
Download
ise-upgradebundle-1.2.0.899.x86_64.tar.gz to
upgrade from the Limited Availability Release to
Release 1.2.

Upgrade CLI Command

You can upgrade directly from the Cisco ISE CLI. This option allows you to install the new Cisco ISE software
on the appliance and simultaneously upgrade configuration and monitoring information databases.
To use the application upgrade command from the Cisco ISE CLI, enter:
application upgrade application-bundle repository-name
application-bundle is the name of the application bundle to upgrade the Cisco ISE application.
repository-name is the name of the repository.
When you upgrade or restore Cisco ISE Monitoring nodes from the older versions of Cisco ISE to Release
1.2, the active sessions are not retained and are reset to 0.
Related Topics
Upgrading a Two-Node Deployment
Performing a Backup to Prevent Data Loss During Upgrade

Upgrade Methods for Different Types of Deployments

Before you proceed with an upgrade, we recommend that you review the following chapters in this document
for information about how to perform an upgrade on the following different types of deployments:
Standalone and two-node deployments
Distributed deployments
Related Topics
Upgrading a Two-Node Deployment
Upgrading a Distributed Deployment

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

11

Upgrading Cisco ISE

Verifying the Upgrade Process

Verifying the Upgrade Process

To verify if an upgrade is successful, do one of the following:
Check the ade.log file for the upgrade process. To display the ade.log file, enter the following command
from the Cisco ISE CLI: show logging system ade/ADE.log
Enter the show version command to verify the build version.
Enter the show application status ise command to verify that all the services are running.
If upgrade fails because of configuration database issues, the changes are rolled back automatically. Refer to
Chapter 4, "Recovering from Cisco ISE Upgrade Failures" for more information.

Post-Upgrade Tasks
Note

If you have recently upgraded to Cisco ISE 1.3, perform the post-upgrade tasks listed in the Cisco Identity
Services Upgrade Guide, Release 1.3.
Refer to Cisco Identity Services Engine User Guide, Release 1.2, for details about each of these tasks.
Check if the local and Certificate Authority (CA) certificates are available. Reimport them, if necessary.
Reconfigure your backup schedules (configuration and operational). Scheduled backups configured in
the old deployment are lost during upgrade.
Join Cisco ISE with Active Directory again, if you use Active Directory as your external identity source
and connection to Active Directory is lost.
Reset the RSA node secret if you use RSA SecurID server as your external identity source.
Perform a posture update from the primary Administration node after upgrade if you have enabled the
Posture service.
Check and import custom profiler policies. If you changed the default profiler policies, the upgrade
process overwrites the changes.
Check profiling probe configurations and reconfigure them, if necessary.
Customize default language templates after upgrade. If you had customized the default language templates
in the old deployment, the upgrade process overwrites the changes.
Reconfigure profiler SNMP polling. This configuration is lost during an upgrade.
After upgrade, the OUI entries might be missing in the database, which might result in the endpoints
matching incorrect authorization policies. Run the feed service to update the OUI.
In previous releases of Cisco ISE, guest user records were available in the Internal Users database. Cisco
ISE, Release 1.2 introduces a Guest Users database, which is different than the Internal Users database.
If you have added the Internal Users database to your identity source sequence, the Guest Users database
also becomes part of your identity source sequence. If guest user login is not applicable, remove the
Guest Users database from the identity source sequence.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

12

OL-27087-01

Upgrading Cisco ISE

Known Upgrade Issues

Reconfigure e-mail settings, favorite reports, and data purge settings.

Check the threshold and/or filters for specific alarms that you need. All the alarms are enabled by default
after an upgrade.
Customize reports based on your needs. If you had customized the reports in the old deployment, the
upgrade process overwrites the changes that you made.
The operational (monitoring and troubleshooting) data purge has changed in Cisco ISE, Release 1.2.
Purge settings default to 90 days. Some of the logs are purged within 24 hours of upgrading to the new
deployment. Check the dashboard to see if you are viewing data for the previous 24 hours. You can also
check the reports and live logs as well. Ensure that you obtain a backup of all the monitoring (operational)
data that you need.

Known Upgrade Issues

This section lists some of the known upgrade issues with workarounds. Refer to the Open Caveats section in
the Release Notes for Cisco Identity Services Engine, Release 1.2 for more details.

Upgrading Secondary Nodes From Limited Availability Release to Release 1.2

Fails
Problem This issue occurs only when you upgrade secondary nodes from the Limited Availability Release to

Cisco ISE, Release 1.2.

Possible Cause This issue is seen when you have backup schedules configured in Cisco ISE.
Solution Disable or cancel the backup schedules before you upgrade to Release 1.2.

Scheduled Backup Configurations Are Lost

Problem This issue occurs after you upgrade to Release 1.2 from earlier releases. Even though you backed up

the configuration data before upgrade and restored it in Cisco ISE, Release 1.2, the scheduled backup
configurations are lost.
Solution You must reconfigure the scheduled backups in Cisco ISE, Release 1.2.

Browser Cache Issues

Problem This issue occurs if you are using the same browser to access Cisco ISE before and after the upgrade.
Solution You must clear your browser cache after upgrade to access Cisco ISE, Release 1.2.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

13

Upgrading Cisco ISE

Active Directory Join Issues

Active Directory Join Issues

Problem If you use Active Directory as your external identity store, after you upgrade to Release 1.2, Cisco

ISE will no longer be joined to the Active Directory domain.

Solution You must rejoin the nodes to the Active Directory domain from the Active Directory pages of the

Cisco ISE user interface.

RSA Connection Is Lost

Problem If you use RSA SecurID Server as your external identity source, the RSA SecurID server connection

might be lost after an upgrade.

Solution Reset the RSA node secret from the primary Administration node. Refer to Cisco Identity Services

Engine User Guide, Release 1.2, for more details.

New Users or Endpoints Added to the Old Deployment During Upgrade Are
Lost
Problem Guest users or endpoints that are added to the old deployment when the new deployment is formed

are lost.
Solution Ensure that you disable services such as Guest, Profiler, Device Onboarding, and so on before an

upgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devices
must be profiled and onboarded again.

Profiler SNMP Polling Configuration Is Lost

Problem Profiler SNMP polling configuration is lost after an upgrade.
Solution You must reconfigure profiler SNMP polling from the Cisco ISE, Release 1.2 primary Administration

node after an upgrade. Refer to the Cisco Identity Services Engine User Guide, Release 1.2, for more
information.

Default Language Template Customization Is Lost

Problem If you have edited the default language templates, the changes that you have made are lost after an

upgrade.
Solution Customize the default language templates again after the upgrade.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

14

OL-27087-01

Upgrading Cisco ISE

CLI Password Policy is Lost During Upgrade

CLI Password Policy is Lost During Upgrade

Problem This issue occurs when you upgrade to Cisco ISE, Release 1.2.
Possible Cause In Cisco ISE, Release 1.2, the GUI and CLI password policies are unified and replicated

to all nodes.
Solution After you upgrade to Release 1.2, configure the password policy from the Cisco ISE Admin portal

(Administration > System > Admin Access > Password Policy).

Posture Updates Are Overwritten

Problem During an upgrade, the operating system list for posture is updated, which might affect posture rules.
Solution After upgrade, from the primary Administration user interface, choose Administration > System >

Settings > Posture > Updates. Check the Cisco supported OS version. If it is set to 0.0.0.0, perform a posture
update.

Manifest Error While Running Upgrade

Problem You might see a "manifest error" when you try to upgrade ISE with an application bundle that was

downloaded using Apple Safari web browser from Cisco.com.

Possible Cause The upgrade file is decompressed after the download. By default, the Apple Safari web

browser opens "safe files" after a download. This setting decompresses the upgrade bundle after download
and causes the manifest error during upgrade.
Solution Uncheck the "open safe files after downloading" option under Preferences in the Apple Safari web

browser.

Cisco Identity Services Engine Upgrade Guide, Release 1.2

OL-27087-01

15

Upgrading Cisco ISE

Manifest Error While Running Upgrade

Cisco Identity Services Engine Upgrade Guide, Release 1.2

16

OL-27087-01