ISE Upgrade Best Practices Tips and Tricks

Introduction

You have spent months fine-tuning your Cisco Identity Services Engine deployment. Policies are dialed in, profiling is working, and RADIUS authentications are humming along without a hitch. Then the calendar reminder hits: your current ISE version is approaching end of life, and an ISE upgrade is unavoidable. The question is not whether you should upgrade but how you can do it without disrupting the network access control fabric your organization depends on every single day.

Upgrading ISE is widely regarded as one of the more complex procedures in the Cisco security portfolio. Unlike a simple switch firmware update, an ISE upgrade touches distributed node personas, configuration databases, monitoring data, certificates, integrations with Active Directory, and potentially dozens of network access devices that rely on RADIUS and TACACS+ services. A single misstep can leave endpoints unable to authenticate, security policies unenforced, and administrators scrambling to restore service.

The good news is that with thorough preparation, the right upgrade method for your deployment size, and a disciplined checklist, an ISE upgrade can be executed smoothly and predictably. This article distills field-proven best practices, practical tips, and step-by-step guidance that will help you plan, execute, and validate your next ISE migration with confidence. Whether you are moving from ISE 3.0 to 3.3 or jumping to the latest 3.4 release, the principles covered here apply across versions.

We will walk through the ISE persona model, the log file system you need for troubleshooting, deployment sizing, platform and lifecycle considerations, the pre-upgrade checklist, all four upgrade methods in detail, duration estimation, operational data management, and the most common concerns that arise during and after an upgrade.

What Are ISE Personas and Why Do They Matter for an ISE Upgrade?

Before diving into upgrade mechanics, it is essential to understand the ISE persona architecture because the upgrade sequence is built around it.

Policy Administration Node (PAN)

The PAN is the central node responsible for managing all ISE configurations. In a distributed deployment you will have two PANs:

• PPAN -- Primary PAN (Active). This is where you make configuration changes.
• SPAN -- Secondary PAN (Standby). This node receives replicated configuration data and can be promoted if the PPAN fails.

Monitoring Node (MNT)

The MNT collects operational data and logs from across the deployment. Like the PAN, monitoring nodes come in pairs:

• PMNT -- Primary MNT (Active)
• SMNT -- Secondary MNT (Active)

Both monitoring nodes are active and collect data simultaneously, which is an important distinction when you are planning operational data handling during the upgrade.

Policy Service Node (PSN)

PSNs are the workhorses of the deployment. They execute policies and handle client authentications. When a switch or wireless controller sends a RADIUS Access-Request, it is a PSN that processes the request, evaluates authorization policies, and returns the result.

Understanding these personas is critical because the upgrade order, persona changes, and data replication behavior all depend on which persona a node holds. The upgrade methods covered later in this article treat each persona type differently, and knowing the distinction will help you predict what happens at each stage of the process.

How Does the ISE Log File System Help During an Upgrade?

ISE generates various log files that are indispensable for monitoring and troubleshooting system performance during an upgrade. Two log files in particular deserve your attention.

ADE.log (Application Deployment Engine)

The ADE.log captures main system-level events and processes. This is the log you want to watch during upgrades, patch installations, and system restarts because it records the progress of these operations along with any errors that occur.

To view it from the CLI:

show logging system ade/ADE.log

ise-psc.log (Policy Service Component)

The ise-psc.log focuses on internal processes and application-specific events, including errors and warnings related to policy execution and service configurations. This log is particularly useful for confirming that the ISE Application Server has started successfully after an upgrade or patch.

To view it from the CLI:

show logging application ise-psc.log

Pro Tip: After patching, upgrading, or installing ISE, always verify that the ISE Application Server is running. You can use the command show application status ise or check the ise-psc.log to confirm. Here is a practical way to check:

screen-length 0
show logging application ise-psc.log tail | include "Application Server"

You should see output similar to:

2024-11-22 13:50:18,483 INFO ... Application Server initializing
2024-11-22 13:50:29,028 INFO ... Application Server running 22816

The screen-length 0 command replaces the older terminal length 0 starting from ISE 3.2. Keep this in mind if you are upgrading from a pre-3.2 version.

ISE Deployment Sizes and Platform Considerations

The size of your deployment directly influences which upgrade method you should choose, how long the upgrade will take, and how much planning is required. ISE supports three deployment models.

Small Deployment

A small deployment consists of two nodes running all personas (PAN + MNT + PSN) on each node, with an optional additional standalone PSN. This is common in single-site organizations with a limited number of endpoints.

Medium Deployment

A medium deployment separates the roles slightly, with two nodes running PAN + MNT personas and up to six dedicated PSNs. This is the most common deployment model for mid-sized enterprises.

Large Deployment

A large deployment fully separates all personas: two dedicated PANs, two dedicated MNTs, and up to 50 PSNs. This model is used in large enterprises, service providers, and organizations with geographically distributed sites.

Supported Platforms

ISE runs on multiple platforms, and your platform choice affects which versions you can run. The following table summarizes platform support:

Platform	ISE 3.0 (EOL)	ISE 3.1	ISE 3.2	ISE 3.3	ISE 3.4
SNS 3615	Yes	Yes	Yes	Yes	Yes
SNS 3655	Yes	Yes	Yes	Yes	Yes
SNS 3695	Yes	Yes	Yes	Yes	Yes
SNS 3715	--	--	--	Yes	Yes
SNS 3755	--	--	--	Yes	Yes
SNS 3795	--	--	--	Yes	Yes
Traditional VM	Yes	Yes	Yes	Yes	Yes
AWS	--	--	Yes	Yes	Yes
Azure & OCI	--	--	Yes	Yes	Yes

Pro Tip: Before selecting your target version, verify that your hardware platform or cloud instance type is supported. The newer SNS 37xx series appliances are only supported starting with ISE 3.3.

Understanding the ISE Lifecycle Before You Plan an ISE Upgrade

Every ISE version follows the same lifecycle pattern, and new versions are typically released approximately every 12 months. Understanding where your current version sits in its lifecycle helps you determine urgency and plan appropriately.

The lifecycle stages are:

1. FCS (First Customer Shipment) -- The version becomes generally available.
2. EOL (End of Life) Announcement -- Announced approximately 28 months after FCS.
3. End of SW Maintenance (EoSW) -- No new patches or maintenance releases, approximately 6 months after EOL announcement.
4. Last Date of Support (LDoS) -- Final date for any support, approximately 12 months after EoSW.

The timeline from FCS to LDoS spans roughly 12 months of active development followed by a wind-down period. Here is a simplified view of recent ISE releases:

Version	Approximate FCS	Status
ISE 3.0	2020	End of Life
ISE 3.1	2021	Active
ISE 3.2	2022	Active
ISE 3.3	2023	Active
ISE 3.4	2024	Active

Reasons to Upgrade

There are several compelling reasons to perform an ISE upgrade beyond simply avoiding end-of-life:

• Enhance product stability -- Newer versions incorporate thousands of bug fixes.
• Fix security vulnerabilities -- Critical CVEs are addressed in newer releases.
• Support and maintenance -- Only supported versions receive patches and TAC assistance.
• New features -- Each release introduces significant new capabilities.

New Features by Version

Each ISE release brings meaningful feature additions. Here is a summary of key features introduced in recent versions:

ISE 3.2 New Features:

• Data Connect for external reporting
• Better automation capabilities
• Cloud platform support (AWS, Azure, OCI)
• pxGrid Direct for simplified integrations
• Dark mode for the administrative GUI

ISE 3.3 New Features:

• Certificate-based API calls for improved security
• AI-powered profiling for better endpoint classification
• Native IPsec support
• New split-upgrade workflow for streamlined upgrades

ISE 3.4 New Features:

• Configure VTI (Virtual Tunnel Interface) with Native IPsec
• TLS 1.3 support
• PAC-less RADIUS for TrustSec
• Many additional improvements across the platform

These features alone often justify the effort required for an ISE upgrade. If you are studying for the CCNP Security certification, understanding ISE deployment and upgrade procedures is essential. The CCNP Security ISE 802.1X Lab course on NHPREP covers ISE configuration and operation in depth.

The Complete ISE Upgrade Pre-Flight Checklist

Upgrading ISE is not easy unless you are well prepared. This pre-flight checklist is the single most important section of this article. Skipping any of these steps significantly increases the risk of a failed or prolonged upgrade.

Step 1: Choose the Target Version

Start by checking the suggested release for your environment. Review compatibility across three dimensions:

• Hardware compatibility -- Confirm your SNS appliance or VM meets the requirements for the target version.
• Integration compatibility -- Verify that your integrations (Active Directory, MDM, pxGrid partners) are compatible.
• Licensing -- Review the licensing model for your target version using the Cisco ISE Licensing Guide.

Additionally, review open bugs for the target version and its latest patch using the Bug Search Tool. For complex environments, engaging professional services is recommended.

Step 2: Validate the Upgrade Path (Direct vs. Two-Step)

Not every version jump can be done in a single step. If you are making a large version jump, you may need a two-step upgrade. The general rule is straightforward: perform the biggest jump first.

For example, if you are moving from ISE 3.0 to ISE 3.3, you would evaluate whether a direct upgrade is supported or whether you need an intermediate step through ISE 3.2 first. Always consult the official Cisco ISE Upgrade Journey documentation for your specific source and target versions.

Step 3: Install the Latest Patch (Before and After)

This step is critical and often overlooked. You should install the latest available patch on your current version before upgrading, and then install the latest patch on the target version after upgrading.

There are two ways to apply patches, and they behave differently:

Patching from the GUI:

• The first node to be patched is always the PPAN.
• Following nodes are patched in alphabetical order, one after the other.
• You cannot control the order or parallelize.

Patching from the CLI:

• You can test the patch on any node before deploying to the rest of the deployment.
• You can patch nodes simultaneously, which significantly reduces the overall patching window.

Pro Tip: CLI-based patching gives you more control and flexibility. You can validate the patch on a single PSN first, confirm stability, and then roll it out to remaining nodes in parallel. This is particularly valuable in large deployments with many PSNs.

Step 4: Choose Your Upgrade Method

This is a major decision point and deserves its own section (covered in detail below). The four methods are Backup and Restore, GUI upgrade, CLI upgrade, Full Upgrade, and the New Split Upgrade.

Step 5: Set Up and Validate Repositories

Your upgrade bundle, URT file, and ISO images need to be stored in a repository that ISE can access. Make sure repositories are accessible from all ISE nodes and are as close as possible to the ISE nodes to minimize transfer time.

Validate repositories through the CLI on every node:

show running-config | include repository
show repository {repository_name}

Using the Local Disk as a Repository:

Starting with ISE 3.1, you can manage local disk files directly from the GUI under Administration > System > Maintenance. You can also use the CLI:

copy {source} disk:/
dir disk:/

The dir command lists files on the local disk and shows available free space. Using the local disk eliminates network transfer delays during the upgrade itself, which can be a significant time saver.

Step 6: Run the Upgrade Readiness Tool (URT)

The URT is a pre-upgrade validation tool that runs on the SPAN. To execute it:

application install {URT_filename} {repository_name}

The URT performs two important functions:

1. Verifies that the configuration database is compatible with the new version, catching potential data migration issues before you commit to the upgrade.
2. Provides an estimate for upgrade duration per node (note: this estimate does not apply to the Backup and Restore method).

Pro Tip: The URT is optional if you are using the New Split Upgrade or Full Upgrade methods, since those methods include built-in pre-checks. However, running it anyway is a low-risk way to catch problems early.

Step 7: Backup Everything

This is your safety net. Back up the following:

• Configuration backup -- This is mandatory. Without it, you have no rollback path.
• Operational data backup -- Optional, depending on whether you need historical log data.
• Network devices and endpoints -- Export these as CSV files for reference.
• Certificates and private keys -- Export all certificates and their private keys from the GUI.
• Internal CA certificates -- Export these from the CLI.

Step 8: Take Notes on Credentials and Configurations

Document the following items that are not captured in a standard backup:

• Active Directory join credentials
• MDM integration credentials
• Other third-party integration credentials
• Profiler configuration for each PSN (these can differ per node)

Step 9: Clean Up Before the Upgrade

A clean deployment upgrades faster. Perform the following cleanup:

• Delete expired certificates that are no longer needed.
• Purge operational data to reduce the monitoring database size.
• Remove inactive endpoints that have not authenticated in months.
• Clear old guest accounts that have expired.

Step 10: Final Pre-Upgrade Tasks

Before you pull the trigger:

• Perform Health Checks -- Available since ISE 2.6 Patch 8 and later, health checks validate system readiness.
• Disable PAN Failover -- This prevents automatic promotion during the upgrade, which could cause chaos.
• Disable Scheduled Backups -- Scheduled backups running during an upgrade can cause conflicts.

Which ISE Upgrade Method Should You Choose?

Choosing the right upgrade method is one of the most consequential decisions in the entire process. Each method has distinct advantages and trade-offs. Let us examine all four.

Backup and Restore

Attribute	Detail
Best for	Large deployments needing the fastest upgrade
Approach	Reinstall all nodes to the new version using the installation ISO. Configuration backup is restored on the SPAN. Data is replicated between nodes.
Cloud support	Only option available for cloud instances (AWS, Azure, OCI)
Key advantage	Fastest method overall
Consideration	Requires reimaging every node

With Backup and Restore, you essentially build a fresh deployment on the target version and then restore your configuration. This is the cleanest approach because every node gets a fresh installation, eliminating any residual issues from the old version.

GUI Upgrade (Split Upgrade)

Attribute	Detail
Best for	Small and medium deployments
Approach	Step-by-step guided upgrade through the ISE administrative GUI
Key advantage	TAC-preferred method; includes pre-checks
Consideration	Limited to upgrading nodes in a fixed sequence

The GUI upgrade walks you through the process with built-in validations. It is the method most often recommended by TAC because it has guardrails that prevent common mistakes.

CLI Upgrade

Attribute	Detail
Best for	Distributed deployments across multiple regions
Approach	Manual upgrade from the command line
Key advantage	Better visibility and control over the upgrade
Consideration	Requires advanced knowledge of the ISE upgrade process

The CLI upgrade gives experienced administrators granular control over each step. You can monitor logs in real time, control the exact upgrade order, and troubleshoot issues as they arise. This method is usually the fallback if a GUI upgrade fails.

Full Upgrade

Attribute	Detail
Best for	Environments that need a faster approach
Approach	Two-step process: (1) upgrade the PPAN, then (2) upgrade all other nodes
Key advantage	Faster than the traditional split approach; no persona change required
Availability	Added in ISE 2.6 Patch 10, 2.7 Patch 4, and 3.0 Patch 3
Consideration	Requires downtime during the upgrade

The Full Upgrade is notable because it preserves the existing persona configuration throughout the process. There are no persona swaps between the PPAN and SPAN, which eliminates one of the most error-prone aspects of the traditional upgrade.

New Split Upgrade

Attribute	Detail
Best for	Medium to large deployments wanting more control
Approach	Allows upgrading more nodes simultaneously in iterations
Availability	Starting with ISE 3.2 Patch 3 and ISE 3.3
Key advantage	Built-in pre-checks; ability to parallelize node upgrades
Consideration	Still follows the split upgrade concept but with more flexibility

The New Split Upgrade is the most recent addition to the ISE upgrade toolkit. It combines the structured approach of the GUI upgrade with the flexibility to upgrade multiple nodes simultaneously, reducing the total upgrade window.

Pro Tip: For cloud-hosted ISE deployments on AWS, Azure, or OCI, Backup and Restore is the only supported upgrade method. Plan accordingly.

How Long Does an ISE Upgrade Take?

One of the most frequent questions administrators ask is about upgrade duration. While exact timings depend on your specific environment, the following estimates provide a reasonable baseline for planning.

Operation	Estimated Duration
Reimaging ISE	60-70 minutes
Restoring a configuration backup (PPAN)	40-60 minutes
Registering a node into the cluster	20-30 minutes
Upgrading a node	70-120 minutes
Upgrading operational data (MNT)	5 minutes per GB of operational data
Patching a node	20-30 minutes
Persona change	15 minutes

These estimates are subject to environment-specific variables such as database size, network latency between nodes, storage performance, and the amount of operational data stored on MNT nodes.

Calculating Total Upgrade Duration

For a medium deployment with two PAN+MNT nodes and four PSNs using the GUI upgrade method, a rough estimate might look like this:

1. Upgrade SPAN (which becomes the new PPAN): 70-120 minutes
2. Upgrade original PPAN: 70-120 minutes
3. Upgrade four PSNs (sequentially): 4 x 70-120 minutes = 280-480 minutes
4. Upgrade operational data on MNTs: depends on data volume
5. Patching all nodes: 6 x 20-30 minutes = 120-180 minutes (or less if done in parallel via CLI)
6. Persona changes: 2 x 15 minutes = 30 minutes

Total: approximately 10 to 16 hours, excluding troubleshooting time.

For the Backup and Restore method, the math changes significantly because reimaging and restoring can be parallelized across nodes, making it the fastest method for large deployments.

How to Reduce ISE Upgrade Duration

The single most effective way to reduce upgrade duration is to reduce the volume of operational data that needs to be migrated. The monitoring database on MNT nodes can grow to tens of gigabytes in large deployments, and upgrading this data takes approximately 5 minutes per GB.

Purging Operational Data from the GUI

You can purge MNT node operational data using the "Purge Data Now" option in the ISE GUI. This is the simplest approach for most administrators.

Purging Operational Data from the CLI

For more control, use the CLI:

application configure ise

From the menu that appears, select option 3 for "Purge M&T Operational Data":

[3] Purge M&T Operational Data
# 3
Enter days to be retained: 1

Setting the retention to 1 day effectively purges all historical data while keeping the most recent records. If you need historical data for compliance, export it before purging.

Warning: Operational data logs are not synchronized between the MNTs in case of a persona change. This means that if you purge data on one MNT, the other MNT still has its full dataset. Plan your purge strategy to account for both nodes.

Additional Cleanup to Speed Up the Upgrade

Beyond operational data, cleaning up the following items improves upgrade duration:

• Endpoints -- Remove inactive endpoints that have not been seen in 90 days or more.
• Users -- Clean up old guest accounts and unused internal user accounts.
• Logs -- Archive and purge old log data that is no longer needed for day-to-day operations.

Improving the upgrade duration can be achieved by cleaning endpoints, users, and logs before starting the upgrade process.

Understanding the ISE Upgrade Sequence

Before executing the upgrade, it helps to understand what happens at a conceptual level. The traditional split upgrade follows this general pattern:

1. The SPAN is upgraded first. During the upgrade, the SPAN becomes the new primary node running the target version.
2. The original PPAN is then upgraded. After upgrade, it joins the new deployment as a secondary node.
3. PSNs are upgraded next, either sequentially or in groups depending on the method.
4. MNT operational data is upgraded or migrated.
5. Persona assignments are finalized.

In the old deployment, the PPAN holds the active configuration and the SPAN is on standby. After the upgrade, the roles may be swapped depending on the method used. The Full Upgrade method is the exception here because it preserves the existing persona configuration throughout, meaning the PPAN stays as the PPAN and the SPAN stays as the SPAN.

This distinction matters because administrators who are accustomed to their PPAN being a specific node may need to update their operational documentation and monitoring after an upgrade that performs a persona swap.

Common Concerns and Troubleshooting During an ISE Upgrade

What If the ISE Application Server Does Not Start?

After any upgrade or patch operation, the ISE Application Server must be running before the node is functional. If it does not start, check the ise-psc.log:

screen-length 0
show logging application ise-psc.log tail | include "Application Server"

Look for the "Application Server running" message with a process ID. If you see "Application Server initializing" but it never transitions to "running," review the full ise-psc.log and ADE.log for error messages.

What If the URT Reports Issues?

If the Upgrade Readiness Tool reports compatibility issues, address them before proceeding. Common issues include:

• Database schema incompatibilities that require data cleanup
• Certificates that will expire before the upgrade window completes
• Nodes that cannot reach the upgrade repository

The URT is designed to catch these issues early, so treat its output as a mandatory action list rather than optional recommendations.

What If a Node Fails to Join the Cluster After Upgrade?

Node registration into the cluster typically takes 20-30 minutes. If a node fails to register, verify:

• Network connectivity between the node and the PPAN
• Certificate trust -- the node must trust the PPAN's admin certificate
• DNS resolution -- all nodes must be able to resolve each other by hostname

How Do You Handle Active Directory Credentials?

Active Directory join credentials are not included in a standard ISE backup. Make sure you have the AD join credentials documented before starting the upgrade. After the upgrade, you may need to rejoin nodes to the Active Directory domain.

Frequently Asked Questions

How do I know which ISE upgrade method to use?

The choice depends on your deployment size and requirements. For small and medium deployments, the GUI upgrade (split upgrade) is the TAC-preferred method because it includes built-in pre-checks and a guided workflow. For large deployments, Backup and Restore is the fastest option. For cloud instances on AWS, Azure, or OCI, Backup and Restore is the only supported method. The New Split Upgrade, available starting with ISE 3.2 Patch 3 and ISE 3.3, is a strong choice for medium to large deployments because it allows upgrading multiple nodes simultaneously.

Can I upgrade directly from ISE 3.0 to ISE 3.3, or do I need an intermediate step?

Whether a direct upgrade is possible depends on the specific source and target versions. The general guidance is that if a two-step upgrade is required, you should perform the biggest version jump first. Always consult the official ISE Upgrade Journey documentation for your specific upgrade path to determine whether a direct upgrade is supported or whether an intermediate version is required.

Which ISE upgrade method preserves the existing persona configuration?

The Full Upgrade method preserves the existing persona configuration throughout the process. Unlike the traditional split upgrade, which involves persona changes between the PPAN and SPAN, the Full Upgrade performs a two-step process where the PPAN is upgraded first, followed by all other nodes, without any persona swaps. This was added in ISE 2.6 Patch 10, 2.7 Patch 4, and 3.0 Patch 3.

How can I reduce the time it takes to upgrade ISE?

The most effective way to reduce upgrade duration is to purge operational data on MNT nodes before starting. Since MNT operational data takes approximately 5 minutes per GB to upgrade, reducing a 20 GB monitoring database to a few hundred megabytes can save hours. Additionally, cleaning up inactive endpoints, expired guest accounts, and expired certificates reduces processing time. Using CLI-based patching allows you to patch nodes simultaneously rather than sequentially, which saves time during the post-upgrade patching phase.

Should I install the latest patch before and after the upgrade?

Yes, absolutely. Installing the latest patch on your current version before upgrading ensures you have the most stable starting point with the latest bug fixes. Installing the latest patch on the target version after upgrading ensures you benefit from all post-release fixes. This is one of the most commonly overlooked steps, and skipping it can lead to encountering bugs that have already been resolved.

What logs should I monitor during an ISE upgrade?

Monitor two primary log files: the ADE.log for system-level upgrade events and progress tracking, and the ise-psc.log for application-level events and to confirm the ISE Application Server has started successfully. Use show logging system ade/ADE.log and show logging application ise-psc.log to access them. After any upgrade or patch operation, always verify the Application Server is running by checking for the "Application Server running" message in the ise-psc.log.

Conclusion

An ISE upgrade is a significant undertaking, but it does not have to be a high-risk event. The key takeaways from this guide are:

1. Preparation is everything. The pre-flight checklist is not optional. Every step from validating the upgrade path to purging operational data to backing up certificates contributes to a smooth upgrade.

2. Choose the right upgrade method for your deployment size. Backup and Restore for large or cloud deployments, GUI split upgrade for small and medium environments, CLI for distributed deployments requiring maximum control, and the New Split Upgrade for environments on ISE 3.2 Patch 3 or later that want parallelized upgrades with built-in pre-checks.

3. Reduce your data footprint before upgrading. Purging operational data, cleaning up endpoints, and removing expired certificates can cut hours off your upgrade window.

4. Monitor the right logs. The ADE.log and ise-psc.log are your primary visibility tools during the upgrade. Always confirm the Application Server is running before considering a node upgrade complete.

5. Document everything that is not captured in a backup, especially Active Directory credentials, MDM credentials, and per-PSN profiler configurations.

6. Disable PAN failover and scheduled backups before starting. These automated processes can interfere with the upgrade sequence.

If you are preparing for a Cisco security certification or want to build hands-on skills with ISE deployments, the CCNP Security ISE 802.1X Lab course on NHPREP provides practical lab exercises covering ISE configuration, 802.1X authentication, and operational procedures that will strengthen your understanding of the platform.

Investing the time to prepare properly transforms an ISE upgrade from a stressful firefight into a controlled, predictable operation. Follow the checklist, choose the right method, clean your data, and monitor your logs. Your future self will thank you.