Accueil » Upgrade – ISE 3.2 vers 3.3 – CLI

Upgrade – ISE 3.2 vers 3.3 – CLI

Par /

Sur Cisco Dcloud (Ici : https://dcloud.cisco.com/), vous pouvez réserver un serveur Cisco ISE.

C’est ce que j’ai fait pour tester un upgrade de la version 3.2 vers la version 3.3 en CLI.

La mise à jour a duré 1h30 au total. Le temps peut être plus important si vous avez beaucoup de logs dans le serveur ISE.

Pour la mise à jour, j’ai fais deux prises de logs :

  • La sortie de ma session SSH
  • Un show logging system ade/ADE.log tail

Pour faire l’upgrade il faut :

  • Avoir configuré un repository (Pas présenté ici)
  • Avoir mis les fichiers de mise à jour dans le repository (Pour moi c’était un FTP avec Filezilla)

En cli, on peut voir s’il y a déjà un repo et ce qu’il y a dedans

show running-config repository 
show repository FTP

La mise à jour se fait en deux commandes

  • La préparation : L’ISE télécharge le fichier, le décompresse et vérifie sa signature.
  • Le lancement : L’ISE effectue la mise à jour. 

application upgrade prepare ise-upgradebundle-3.0.x-3.2.x-to-3.3.0.430b.SPA.x86_64.tar.gz FTP
application upgrade proceed

Voici les logs de la mise à jour

Ps : En gras, les commandes que j’ai tapé

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.12.09 15:12:40 =~=~=~=~=~=~=~=~=~=~=~=
show running-config repository 
repository FTP
 url ftp: //198.18.133.36/
 user ise password hash **********
!
ise/admin#show repository FTP
desktop.ini                                                                                         
ise-patchbundle-3.3.0.430-Patch3-24070910.SPA.x86_64.tar.gz                                         
ise-upgradebundle-3.0.x-3.2.x-to-3.3.0.430b.SPA.x86_64.tar.gz                                       
ShareX-16.1.0-setup.exe                                                                             
ise/admin#screen-length 0
ise/admin#application upgrade prepare ise-upgradebundle-3.0.x-3.2.x-to-3.3.0.430b.SPA.x86_64.tar.gz FTP
Be sure that all your software is working stable, check your system on UI page (Administration > System > Health Checks) 
Type yes once confirmed that health of the system is good to proceed:  (yes/no) [yes] ? yes

Be sure that all your software is working stable, check your system on UI page (Administration > System > Health Checks) 

Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature..

Application upgrade preparation successful

ise/admin#application upgrade proceed 
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
Required ESX Version 7.0 available to proceed with upgrade
STEP 1: Stopping ISE application...
STEP 2: Verifying files in bundle...
-Internal hash verification passed for bundle
STEP 3: Validating data before upgrade...
STEP 4: Taking backup of the configuration data...
Truncating sec_txnlog_master - STANDALONE...
STEP 5: Running ISE configuration database schema upgrade...
- Running db sanity to check and fix if any index corruption
- Auto Upgrading Schema for UPS Model
- Upgrading Schema completed for UPS Model
ISE database schema upgrade completed.
STEP 6: Running ISE configuration data upgrade...
- Data upgrade step 1/24, AuthzPolicyDictionaryManager(3.3.0.108)... Done in 5 seconds.
- Data upgrade step 2/24, PIProfilerRegistrationService(3.3.0.140)... Done in 11 seconds.
- Data upgrade step 3/24, MfcDictionaryManager(3.3.0.188)... Done in 0 seconds.
- Data upgrade step 4/24, NSFUpgradeService(3.3.0.250)... Done in 0 seconds.
- Data upgrade step 5/24, IdentityProviderAddCertToTrustedListUpgrade(3.3.0.253)... Done in 0 seconds.
- Data upgrade step 6/24, PostureSessionOSArchRegistration(3.3.0.257)... Done in 0 seconds.
- Data upgrade step 7/24, ProfilerUpgradeService(3.3.0.286)... Done in 0 seconds.
- Data upgrade step 8/24, CertMgmtUpgradeService(3.3.0.295)... Done in 0 seconds.
- Data upgrade step 9/24, UPSUpgradeHandler(3.3.0.295)... Done in 5 seconds.
- Data upgrade step 10/24, PIProfilerRegistrationService(3.3.0.306)... Done in 0 seconds.
- Data upgrade step 11/24, CpmIpFilterUpgradeService(3.3.0.306)... Done in 0 seconds.
- Data upgrade step 12/24, NodeExporterPasswordHandler(3.3.0.356)... Done in 34 seconds.
- Data upgrade step 13/24, ProfilerUpgradeService(3.3.0.365)... Done in 0 seconds.
- Data upgrade step 14/24, PIProfilerRegistrationService(3.3.0.400)... Done in 0 seconds.
- Data upgrade step 15/24, LogAnalyticsEnableService(3.3.0.417)... ..Done in 135 seconds.
- Data upgrade step 16/24, NSFUpgradeService(3.3.0.430)... Done in 0 seconds.
- Data upgrade step 17/24, ProfilerUpgradeService(3.3.0.430)... Done in 0 seconds.
- Data upgrade step 18/24, GuestAccessUpgradeService(3.3.0.430)... Done in 9 seconds.
- Data upgrade step 19/24, UPSUpgradeHandler(3.3.0.430)... Done in 2 seconds.
- Data upgrade step 20/24, ESUpgradeService(3.3.0.430)... .Done in 105 seconds.
- Data upgrade step 21/24, ProvisioningRegistrationNew(3.3.0.430)... Done in 0 seconds.
- Data upgrade step 22/24, NodeExporterPasswordHandler(3.3.0.430)... Done in 0 seconds.
- Data upgrade step 23/24, LogAnalyticsEnableService(3.3.0.430)... Done in 8 seconds.
- Data upgrade step 24/24, SecuritySettingsRegistration(3.3.0.464)... Done in 0 seconds.
STEP 7: Running ISE configuration data upgrade for node specific data...
STEP 8: Running ISE M&T database upgrade...
M&T Log Processor is not running
ISE database M&T schema upgrade completed.
% Warning: Some warnings encountered during MNT sanity check
Deleting stale upgradedb property files , if any.
% NOTICE: The appliance will reboot twice to upgrade software and ADE-OS. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to complete.
Rebooting to do Identity Service Engine upgrade...

Application upgrade successful
ise/admin#

A ce moment, le serveur ISE s’éteint et il redémarre deux fois.

(% NOTICE: The appliance will reboot twice to upgrade software and ADE-OS. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to )

Il faut simplement patienter le temps que l’ISE revienne.

Ci-dessous la suite, une fois revenu

ise/admin#show application status ise

% Application status information is not available

ise/admin#show application status ise

% Application ise is not installed

ise/admin#show application status ise

% NOTICE: Identity Services Engine upgrade is in progress...

ise/admin#show application status ise
ISE PROCESS NAME                       STATE            PROCESS ID  

--------------------------------------------------------------------

Database Listener                      running          91956       

Database Server                        running          127 PROCESSES

Application Server                     running          112060      

Profiler Database                      running          100447      

ISE Indexing Engine                    running          112866      

AD Connector                           running          114131      

M&T Session Database                   running          101281      

M&T Log Processor                      running          112228      

Certificate Authority Service          running          114001      

EST Service                            running          161535      

SXP Engine Service                     disabled                     

TC-NAC Service                         disabled        

PassiveID WMI Service                  disabled                     

PassiveID Syslog Service               disabled                     

PassiveID API Service                  disabled                     

PassiveID Agent Service                disabled                     

PassiveID Endpoint Service             disabled                     

PassiveID SPAN Service                 disabled                     

DHCP Server (dhcpd)                    disabled                     

DNS Server (named)                     disabled                     

ISE Messaging Service                  running          94913       

ISE API Gateway Database Service       running          97202       

ISE API Gateway Service                running          176020      

ISE pxGrid Direct Service              running          149686      

Segmentation Policy Service            disabled                     

REST Auth Service                      disabled                     

SSE Connector                          disabled                     

Hermes (pxGrid Cloud Agent)            disabled                     

McTrust (Meraki Sync Service)          disabled                     

ISE Node Exporter                      running          115182      

ISE Prometheus Service                 running          117426      

ISE Grafana Service                    running          126562      

ISE MNT LogAnalytics Elasticsearch     initializing                 

ISE Logstash Service                   not running                  

ISE Kibana Service                     not running                  

ISE Native IPSec Service               running          145871      

MFC Profiler                           running          155447      

ise/admin#show version

Cisco Application Deployment Engine OS Release: 3.3

ADE-OS Build Version: 3.3.0.181

ADE-OS System Architecture: x86_64

Copyright (c) 2005-2023 by Cisco Systems, Inc.

All rights reserved.

Hostname: ise

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version      : 3.3.0.430

Build Date   : Tue Jul  4 00:31:18 2023

Install Date : Mon Dec  9 16:12:36 2024

ise/admin#

Et voilà !

Bien évidement, en production, on effectue une batterie de test (AD, 802.1X, Tacacs, Failover etc…)

Ci-dessous, les logs entier de la mise à jour. Ca peut servir de comparatif !

INSTALL_ADE-FULLTélécharger

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Related Posts

Retour en haut