topic Re: ISE patch while upgrading in Network Access Control

ISE patch while upgrading

matthen — Tue, 18 Jun 2019 17:17:09 GMT

Is there a way to apply a patch while you're upgrading an ISE environment? My use case is, if a customer is upgrading from ISE 2.2 to 2.4, they start with their Secondary Admin, Primary Monitoring, then they start upgrading their PSNs. However, during this process the newly upgraded PSNs will be vulnerable to any bugs in the base 2.4 code, and users being migrated to the upgraded PSNs will be exposed to those bugs. Is there a way to apply a patch to each node as they're being upgraded to avoid unnecessary issues?

Thanks,

Matt

Re: ISE patch while upgrading

matthen — Tue, 18 Jun 2019 17:22:43 GMT

I see that you can apply patches prior to registering PSNs to the upgraded deployment per this document: https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934#toc-hId--718381845

Re: ISE patch while upgrading

Surendra — Tue, 18 Jun 2019 17:35:06 GMT

Unfortunately, you will not be able to upgrade to rest of the deployment if you do so. The nodes will be upgraded for a brief moment before they fail to join the upgraded deployment and are rolled back. What you can test is though is to apply patches, test the user authentications, see if they are working, roll back the patches and then upgrade the rest of the deployment. This is not a tested path as such but going by the logic, this should work and you will be doing it at your own risk.

Re: ISE patch while upgrading

Mohammed al Baqari — Tue, 18 Jun 2019 18:01:06 GMT

Short answer no. During the upgrade process the databases will be tweaked
by starting with secondary PAN then making it ready to accept PSNs until
primary PAN is upgraded and rejoined the upgraded deployment. If you alter
the database with patches you mightnot be able to recover.

Re: ISE patch while upgrading

hslai — Wed, 19 Jun 2019 01:38:54 GMT

To recap our discussion offline on this, Surendra and Mohammed al Baqari are both correct in case of using the guided upgrade in ISE admin web UI. Whereas ISE Upgrades - Best Practices describes additional options, besides the UI guided upgrade. The other options could be preferable, for sizable ISE deployments, for those ISE Releases unable to upgrade directly to ISE 2.4 or 2.6, or other considerations.