Cisco ISE1.4升級到2.2的那點事兒……

原創 彎月樓主 2018-09-11 03:29

設備升級說難也難,說易也易,不過思科的設備升級其實還是很好的!因爲思科有詳細的文檔,只要詳細閱讀文檔,升級過程一般不會出現問題,如果出現問題,那估計可能跟人品有關了。

友情提示:升級之前一定要仔細閱讀文檔,尤其是那些注意事項。

下面我們詳細說一下從1.4升級到2.2的過程。

首先,思科支持從以下版本直接升級到2.2

  • Cisco ISE, Release 1.4

  • Cisco ISE, Release 2.0

  • Cisco ISE, Release 2.0.1

  • Cisco ISE, Release 2.1

如果是1.4之前的版本,那麼必須先升級到上面任何一個版本。

思科支持兩種方式升級

1、GUI,圖形界面升級,不過這個方法只針對2.0以上的版本。

2、CLI,命令行界面升級,這個方法適用1.4以上的版本

而我的版本是1.4的,所以我只能悲催的使用命令行來升級了。

升級ISE是一個很漫長的過程,我是大約晚上9點來鍾開始升級的,快12點了還沒有升級完成,具體時間沒有計算,因爲中間我睡着了,早上醒來升級已經結束了……

下面是官方給出的一個升級時間,僅作參考

wKioL1ju_jjzylBGAAA2Ybasg8Y190.png

我這裏是單節點。

另外,以下因素也會影響到升級的時間

  • Number of endpoints in your network

  • Number of users and guest users in your network

  • Amount of logs in a Monitoring or Standalone node

  • Profiling service, if enabled

注意:虛擬機的升級時間比物理機的時間要長。

升級之前必須完成以下操作:

  • Apply Latest Patch to Your Current Cisco ISE Version Before Upgrade

  • Change VMware Virtual Machine Guest Operating System and Settings

  • Firewall Ports That Must be Open for Communication

  • Back Up Cisco ISE Configuration and Operational Data from the Primary Administration Node

  • Back Up System Logs from the Primary Administration Node

  • Check the Validity of Certificates

  • Export Certificates and Private Keys

  • Disable PAN Automatic Failover and Scheduled Backups Before Upgrade

  • NTP Server Should Be Configured Correctly and Reachable

  • Record Profiler Configuration

  • Obtain Active Directory and Internal Administrator Account Credentials

  • Activate MDM Vendor Before Upgrade

  • Create Repository and Copy the Upgrade Bundle

  • Check Load Balancer Configuration

上面的操作內容是官方列出的,我只能說如果某一個選項跟你有關,請一定處理好。否則就會出現你想像不到的結果。下面我用血的教訓告訴你。

Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
% Error: None of the configured ntp servers are reachable. Reconfigure with 'ntp server' command from CLI and then ensure that all nodes in deployment are in sync before retrying upgrade.
% Application install or upgrade cancelled.

上面的提示告訴我NTP服務器不可達,必須重新配置NTP服務器,如果不配置好NTP服務器,你就不用想接着往下走了。

Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
STEP 1: Stopping ISE application...
STEP 2: Verifying files in bundle...
-Internal hash verification passed for bundle
STEP 3: Validating data before upgrade...
System certificate with friendly name 'Default self-signed server certificate' is invalid: The certificate has expired.
% Error:  One or more system certificates are invalid (see above), please update with valid system certificate(s) before continuing. Upgrade cannot continue.
Starting application after rollback...
./isedbupgrade-newmodel.sh: illegal option -- 1
Invalid option: -
% Error: The node has been reverted back to its pre-upgrade state.
% Application install or upgrade cancelled.

上面的提示告訴我係統證書無效,證書過期了,如果你不處理,後面的話也不用我說了

所以一定好好看文檔中的內容,哪些是必須要做的。


下面正式開始升級

先通過sftp把升級包傳到ISE中,這個傳的過程我就不說了,不過在這裏要說的一點是文檔告訴你用sftp必然有他的道理,你不要試圖用ftp啥的,這是吃過虧的人告訴你的!就用sftp。


ise-1/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ise-1/admin(config)# repository upgrade
ise-1/admin(config-Repository)# url disk:
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ise-1/admin(config-Repository)# exit
ise-1/admin(config)# exit

ise-1/admin# application upgrade prepare ise-upgradebundle-1.4.x-to-2.2.0.470.x86_64.tar.gz upgrade

//這個是預備安裝,是系統模擬安裝,它會對升級包進行校驗,通過這步你可以發現升級包是否有問題。

Getting bundle to local machine...
 md5: 73602a456bdf5f35811832ad43ffa8fe
 sha256: ea21990738a8e20f02f3c6c8eb0f305587ed35c210094cc7f12dec3c3e9fa010
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y
Unbundling Application Package...
Application upgrade preparation successful


下面就是正式升級了!

ise-1/admin# application upgrade proceed
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
STEP 1: Stopping ISE application...
STEP 2: Verifying files in bundle...
-Internal hash verification passed for bundle
STEP 3: Validating data before upgrade...
STEP 4: Taking backup of the configuration data...
STEP 5: Running ISE configuration database schema upgrade...
- Running db sanity check to fix index corruption, if any...
 - Auto Upgrading Schema for UPS Model...
 - Upgrading Schema completed for UPS Model.

ISE database schema upgrade completed.
STEP 6: Running ISE configuration data upgrade...
- Data upgrade step 1/131, UPSUpgradeHandler(1.5.0.136)... Done in 23 seconds.
- Data upgrade step 2/131, UPSUpgradeHandler(1.5.0.139)... Done in 0 seconds.
- Data upgrade step 3/131, ANCRegistration(1.5.0.140)... Done in 0 seconds.
- Data upgrade step 4/131, NSFUpgradeService(1.5.0.149)... Done in 11 seconds.
- Data upgrade step 5/131, UPSUpgradeHandler(1.5.0.150)... Done in 10 seconds.
- Data upgrade step 6/131, NetworkAccessUpgrade(1.5.0.151)... Done in 0 seconds.
- Data upgrade step 7/131, UPSUpgradeHandler(1.5.0.156)... Done in 0 seconds.
- Data upgrade step 8/131, NetworkAccessUpgrade(1.5.0.159)... Done in 0 seconds.
- Data upgrade step 9/131, NetworkAccessUpgrade(1.5.0.162)... Done in 1 seconds.
- Data upgrade step 10/131, NSFUpgradeService(1.5.0.180)... Done in 0 seconds.
- Data upgrade step 11/131, NetworkAccessUpgrade(1.5.0.180)... Done in 0 seconds.
- Data upgrade step 12/131, NetworkAccessUpgrade(1.5.0.181)... Done in 1 seconds.
- Data upgrade step 13/131, UPSUpgradeHandler(1.5.0.183)... Done in 0 seconds.
- Data upgrade step 14/131, NSFUpgradeService(1.5.0.184)... Done in 0 seconds.
- Data upgrade step 15/131, UPSUpgradeHandler(1.5.0.187)... Done in 1 seconds.
- Data upgrade step 16/131, NSFUpgradeService(1.5.0.199)... Done in 0 seconds.
- Data upgrade step 17/131, HostConfigUpgradeService(1.5.0.199)... Done in 0 seconds.
- Data upgrade step 18/131, NetworkAccessUpgrade(1.5.0.201)... Done in 0 seconds.
- Data upgrade step 19/131, NetworkAccessUpgrade(1.5.0.202)... Done in 0 seconds.
- Data upgrade step 20/131, GuestAccessUpgradeService(1.5.0.212)... Done in 5 seconds.
- Data upgrade step 21/131, NSFUpgradeService(1.5.0.234)... Done in 0 seconds.
- Data upgrade step 22/131, UPSUpgradeHandler(1.5.0.244)... Done in 0 seconds.
- Data upgrade step 23/131, NSFUpgradeService(1.5.0.246)... Done in 0 seconds.
- Data upgrade step 24/131, AuthzUpgradeService(1.5.0.252)... Done in 0 seconds.
- Data upgrade step 25/131, NSFUpgradeService(1.5.0.257)... Done in 0 seconds.
- Data upgrade step 26/131, NetworkAccessUpgrade(2.0.0.131)... Done in 0 seconds.
- Data upgrade step 27/131, AuthzUpgradeService(2.0.0.151)... Done in 0 seconds.
- Data upgrade step 28/131, AuthenPolicyUpgradeService(2.0.0.151)... Done in 0 seconds.
- Data upgrade step 29/131, NadProfilePolicyElemUpgradeService(2.0.0.151)... Done in 8 seconds.
- Data upgrade step 30/131, NetworkAccessUpgrade(2.0.0.154)... Done in 0 seconds.
- Data upgrade step 31/131, NetworkAccessUpgrade(2.0.0.156)... Done in 0 seconds.
- Data upgrade step 32/131, NSFUpgradeService(2.0.0.159)... Done in 0 seconds.
- Data upgrade step 33/131, ProvisioningUpgradeService(2.0.0.166)... Done in 0 seconds.
- Data upgrade step 34/131, CADeploymentUpgradeService(2.0.0.190)... Done in 16 seconds.
- Data upgrade step 35/131, NSFUpgradeService(2.0.0.194)... Done in 0 seconds.
- Data upgrade step 36/131, CertMgmtUpgradeService(2.0.0.212)... Done in 1 seconds.
- Data upgrade step 37/131, NSFUpgradeService(2.0.0.220)... Done in 4 seconds.
- Data upgrade step 38/131, NSFUpgradeService(2.0.0.244)... Done in 0 seconds.
- Data upgrade step 39/131, NSFUpgradeService(2.0.0.245)... Done in 0 seconds.
- Data upgrade step 40/131, EPSRegistration(2.0.0.262)... Done in 0 seconds.
- Data upgrade step 41/131, NSFUpgradeService(2.0.0.268)... Done in 0 seconds.
- Data upgrade step 42/131, UPSUpgradeHandler(2.0.0.271)... Done in 0 seconds.
- Data upgrade step 43/131, AuthzUpgradeService(2.0.0.308)... Done in 0 seconds.
- Data upgrade step 44/131, NSFUpgradeService(2.1.0.102)... Done in 0 seconds.
- Data upgrade step 45/131, UPSUpgradeHandler(2.1.0.105)... Done in 30 seconds.
- Data upgrade step 46/131, UPSUpgradeHandler(2.1.0.107)... Done in 0 seconds.
- Data upgrade step 47/131, NSFUpgradeService(2.1.0.109)... Done in 0 seconds.
- Data upgrade step 48/131, NSFUpgradeService(2.1.0.126)... Done in 0 seconds.
- Data upgrade step 49/131, NetworkAccessUpgrade(2.1.0.127)... Done in 0 seconds.
- Data upgrade step 50/131, ProfilerUpgradeService(2.1.0.134)... Done in 0 seconds.
- Data upgrade step 51/131, ProfilerUpgradeService(2.1.0.139)... Done in 0 seconds.
- Data upgrade step 52/131, ProfilerUpgradeService(2.1.0.166)... Done in 47 seconds.
- Data upgrade step 53/131, NSFUpgradeService(2.1.0.168)... Done in 0 seconds.
- Data upgrade step 54/131, AlarmsUpgradeHandler(2.1.0.169)... Done in 2 seconds.
- Data upgrade step 55/131, RegisterPostureTypes(2.1.0.180)... Done in 1 seconds.
- Data upgrade step 56/131, RegisterPostureTypes(2.1.0.189)... Done in 0 seconds.
- Data upgrade step 57/131, UPSUpgradeHandler(2.1.0.194)... Done in 0 seconds.
- Data upgrade step 58/131, TrustsecWorkflowRegistration(2.1.0.203)... Done in 0 seconds.
- Data upgrade step 59/131, NSFUpgradeService(2.1.0.205)... Done in 0 seconds.
- Data upgrade step 60/131, NetworkAccessUpgrade(2.1.0.207)... Done in 0 seconds.
- Data upgrade step 61/131, NSFUpgradeService(2.1.0.212)... Done in 0 seconds.
- Data upgrade step 62/131, NetworkAccessUpgrade(2.1.0.241)... Done in 0 seconds.
- Data upgrade step 63/131, NetworkAccessUpgrade(2.1.0.242)... Done in 0 seconds.
- Data upgrade step 64/131, UPSUpgradeHandler(2.1.0.244)... Done in 0 seconds.
- Data upgrade step 65/131, ProfilerUpgradeService(2.1.0.248)... Done in 0 seconds.
- Data upgrade step 66/131, NetworkAccessUpgrade(2.1.0.254)... Done in 0 seconds.
- Data upgrade step 67/131, UPSUpgradeHandler(2.1.0.255)... Done in 9 seconds.
- Data upgrade step 68/131, MDMPartnerUpgradeService(2.1.0.257)... Done in 0 seconds.
- Data upgrade step 69/131, NetworkAccessUpgrade(2.1.0.258)... Done in 0 seconds.
- Data upgrade step 70/131, ProfilerUpgradeService(2.1.0.258)... Done in 24 seconds.
- Data upgrade step 71/131, MDMPartnerUpgradeService(2.1.0.258)... Done in 0 seconds.
- Data upgrade step 72/131, UPSUpgradeHandler(2.1.0.279)... Done in 0 seconds.
- Data upgrade step 73/131, NSFUpgradeService(2.1.0.282)... Done in 0 seconds.
- Data upgrade step 74/131, NetworkAccessUpgrade(2.1.0.288)... Done in 0 seconds.
- Data upgrade step 75/131, NetworkAccessUpgrade(2.1.0.295)... Done in 0 seconds.
- Data upgrade step 76/131, CertMgmtUpgradeService(2.1.0.296)... Done in 0 seconds.
- Data upgrade step 77/131, NetworkAccessUpgrade(2.1.0.299)... Done in 0 seconds.
- Data upgrade step 78/131, NetworkAccessUpgrade(2.1.0.322)... Done in 0 seconds.
- Data upgrade step 79/131, NetworkAccessUpgrade(2.1.0.330)... Done in 0 seconds.
- Data upgrade step 80/131, NSFUpgradeService(2.1.0.353)... Done in 0 seconds.
- Data upgrade step 81/131, ProfilerUpgradeService(2.1.0.354)... Done in 0 seconds.
- Data upgrade step 82/131, NSFUpgradeService(2.1.0.427)... Done in 0 seconds.
- Data upgrade step 83/131, NSFUpgradeService(2.1.101.145)... Done in 0 seconds.
- Data upgrade step 84/131, ProfilerUpgradeService(2.1.101.145)... Done in 0 seconds.
- Data upgrade step 85/131, UPSUpgradeHandler(2.1.101.188)... Done in 0 seconds.
- Data upgrade step 86/131, NetworkAccessUpgrade(2.2.0.007)... Done in 0 seconds.
- Data upgrade step 87/131, UPSUpgradeHandler(2.2.0.118)... Done in 3 seconds.
- Data upgrade step 88/131, UPSUpgradeHandler(2.2.0.119)... Done in 0 seconds.
- Data upgrade step 89/131, GuestAccessUpgradeService(2.2.0.124)... Done in 15 seconds.
- Data upgrade step 90/131, NSFUpgradeService(2.2.0.135)... Done in 0 seconds.
- Data upgrade step 91/131, NSFUpgradeService(2.2.0.136)... Done in 0 seconds.
- Data upgrade step 92/131, NetworkAccessUpgrade(2.2.0.137)... Done in 0 seconds.
- Data upgrade step 93/131, NetworkAccessUpgrade(2.2.0.143)... Done in 6 seconds.
- Data upgrade step 94/131, NSFUpgradeService(2.2.0.145)... Done in 1 seconds.
- Data upgrade step 95/131, NSFUpgradeService(2.2.0.146)... Done in 1 seconds.
- Data upgrade step 96/131, NetworkAccessUpgrade(2.2.0.155)... Done in 0 seconds.
- Data upgrade step 97/131, CdaRegistration(2.2.0.156)... Done in 1 seconds.
- Data upgrade step 98/131, NetworkAccessUpgrade(2.2.0.161)... Done in 0 seconds.
- Data upgrade step 99/131, UPSUpgradeHandler(2.2.0.166)... Done in 0 seconds.
- Data upgrade step 100/131, NetworkAccessUpgrade(2.2.0.169)... Done in 0 seconds.
- Data upgrade step 101/131, UPSUpgradeHandler(2.2.0.169)... Done in 0 seconds.
- Data upgrade step 102/131, NetworkAccessUpgrade(2.2.0.180)... Done in 0 seconds.
- Data upgrade step 103/131, CertMgmtUpgradeService(2.2.0.200)... Done in 0 seconds.
- Data upgrade step 104/131, NetworkAccessUpgrade(2.2.0.208)... Done in 0 seconds.
- Data upgrade step 105/131, RegisterPostureTypes(2.2.0.218)... Done in 0 seconds.
- Data upgrade step 106/131, NetworkAccessUpgrade(2.2.0.218)... Done in 0 seconds.
- Data upgrade step 107/131, NetworkAccessUpgrade(2.2.0.222)... Done in 0 seconds.
- Data upgrade step 108/131, NetworkAccessUpgrade(2.2.0.223)... Done in 0 seconds.
- Data upgrade step 109/131, NetworkAccessUpgrade(2.2.0.224)... Done in 0 seconds.
- Data upgrade step 110/131, SyslogTemplatesRegistration(2.2.0.224)... Done in 0 seconds.
- Data upgrade step 111/131, ReportUpgradeHandler(2.2.0.242)... Done in 0 seconds.
- Data upgrade step 112/131, IRFUpgradeService(2.2.0.242)... Done in 0 seconds.
- Data upgrade step 113/131, LocalHostNADRegistrationService(2.2.0.261)... Done in 0 seconds.
- Data upgrade step 114/131, DomainControllerUpgrade(2.2.0.299)... Done in 0 seconds.
- Data upgrade step 115/131, NetworkAccessUpgrade(2.2.0.300)... Done in 0 seconds.
- Data upgrade step 116/131, CertMgmtUpgradeService(2.2.0.300)... Done in 0 seconds.
- Data upgrade step 117/131, PolicyUpgradeService(2.2.0.306)... Done in 0 seconds.
- Data upgrade step 118/131, NSFUpgradeService(2.2.0.323)... Done in 0 seconds.
- Data upgrade step 119/131, NetworkAccessUpgrade(2.2.0.330)... Done in 0 seconds.
- Data upgrade step 120/131, NSFUpgradeService(2.2.0.340)... Done in 0 seconds.
- Data upgrade step 121/131, NetworkAccessUpgrade(2.2.0.340)... Done in 0 seconds.
- Data upgrade step 122/131, NetworkAccessUpgrade(2.2.0.342)... Done in 0 seconds.
- Data upgrade step 123/131, AuthzUpgradeService(2.2.0.344)... Done in 0 seconds.
- Data upgrade step 124/131, RegisterPostureTypes(2.2.0.350)... Done in 29 seconds.
- Data upgrade step 125/131, ProfilerUpgradeService(2.2.0.359)... .Done in 81 seconds.
- Data upgrade step 126/131, DictionaryUpgradeRegistration(2.2.0.374)... Done in 11 seconds.
- Data upgrade step 127/131, UPSUpgradeHandler(2.2.0.403)... Done in 0 seconds.
- Data upgrade step 128/131, DictionaryUpgradeRegistration(2.2.0.410)... Done in 0 seconds.
- Data upgrade step 129/131, NSFUpgradeService(2.2.0.470)... Done in 0 seconds.
- Data upgrade step 130/131, ProfilerUpgradeService(2.2.0.470)... Done in 1 seconds.
- Data upgrade step 131/131, GuestAccessUpgradeService(2.2.0.470)... Done in 7 seconds.
STEP 7: Running ISE configuration data upgrade for node specific data...
STEP 8: Running ISE M&T database upgrade...
ISE M&T Log Processor is not running
ISE database M&T schema upgrade completed.
% Warning: Some warnings encountered during MNT sanity check
% NOTICE: The appliance will reboot twice to upgrade software and ADE-OS. During this time progress of the upgrade is visible on console. It could take up to 30 minutes for this to complete.
Rebooting to do Identity Service Engine upgrade...

Connection closed by foreign host.
Disconnected from remote host(ISE) at 23:00:56.

由於我用的SSH登錄的,系統重啓之後鏈接斷開了,通過控制檯可以發現,系統在啓動的過程中會更新很多的東西,也需要花一定的時間。

慢慢等待,之後你就會發現ISE升級完成了!

wKiom1jvBeLB1gZeAAQHjrH-imU422.png


發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

glibc版本升級

瘋狂小二丶 2019-02-24 13:35:20

nginx版本的平滑升級

譕淚寳唄 2019-02-23 13:29:17

logstash升級kafka插件

郭雨明暄 2019-02-23 13:05:42

Cisco 技術---我們一起學習

lichenjing9 2019-02-23 14:06:52

如何備份cisco路由器配置文件

talkstone 2019-02-23 13:59:02

dhcp中繼

msr520530512 2019-02-23 13:20:48

linux for cisco 日誌服務器搭建

fengyinbo923 2019-02-23 13:16:22

cisco IOS軟件版本詳解

s0lo 2019-02-23 13:08:46

cisco 小型園區與網絡的構建及其應用

簡愛196 2019-02-23 13:05:18

cisco 次優路由

簡愛196 2019-02-23 13:03:32

cisco route-map

簡愛196 2019-02-23 13:03:32

VRRP在cisco中的配置

李厚展 2019-02-23 13:03:20

cisco路由交換系統測試命令

51CTOYoung 2019-02-23 13:00:58

七層網絡模型

程張飛 2019-02-23 13:37:42

IPSec *** 原理(講解)

程張飛 2019-02-23 13:37:42