topic Re: Cisco ISE 2.2 - Most recent stable patch release in Network Access Control

Cisco ISE 2.2 - Most recent stable patch release

CB90021204 — Mon, 22 Oct 2018 00:53:53 GMT

Hello, I upgraded my ISE deployment to ISE 2.2 patch 11. I see that ISE 2.2 patch 11 has since been deferred.

What does Cisco recommend as the stable ISE 2.2 Patch release? Should we wait for Patch 12 or roll back to 9 or 10?

SEVT on Oct 7-13 recommended ISE 2.2 Patch 9. Just wondering if this is still the Cisco recommended patch release?

Thanks,

Re: Cisco ISE 2.2 - Most recent stable patch release

Cory Peterson — Mon, 22 Oct 2018 12:02:17 GMT

In the very near future ISE 2.4 Patch 4 will be the recommended version of ISE.

I would expect this in the next couple weeks.

Re: Cisco ISE 2.2 - Most recent stable patch release

anthonylofreso — Mon, 22 Oct 2018 12:12:03 GMT

It's a fair question, and one that's becoming increasingly difficult to answer. I've shared some feedback with a few folks at Cisco regarding patches lately:

New patches consistently break existing functionality, or introduce new bugs. Examples

Patch 7 & Patch 8 for v2.2 came bundled with two new memory leaks: CSCvf22318 & CSCvf47316
Patch 9 breaks “Add Endpoint” on the context visibility page
I’ve been following two - posts in the communities that document Patch 10 breaking deployments

And now, patch 11 has been recalled. In my opinion, more rigor needs to be applied to patching. I'm very much a fan of Continuous Improvement, and rapid releases... but this methodology, when applied appropriately, should not introduce the number of flaws we've seen lately with these patches.

This often leaves us in a difficult position when TAC is advising us to patch ISE before further troubleshooting can occur, but the patch they would like us to move to will knowingly introduce additional issues.

Re: Cisco ISE 2.2 - Most recent stable patch release

Damien Miller — Mon, 22 Oct 2018 15:36:08 GMT

I won't argue with you on that, it's painful. For what it's worth, 2.4 has been pretty stable for us lately, we had some early issues with high impact, but we were able to have hot fixes generated. All of the main issues we were facing are now addressed in patch 4. It shows some promise of increased software quality. Too many regressions and recalled patches in the past year.

Re: Cisco ISE 2.2 - Most recent stable patch release

hslai — Mon, 22 Oct 2018 19:23:14 GMT

If ISE 2.2 Patch 11 is working fine in your deployment, please keep it as it is for now. If you are planning to rollback, please engage Cisco TAC, due to CSCvm92278.

Re: Cisco ISE 2.2 - Most recent stable patch release

richard.allen1 — Mon, 22 Oct 2018 19:55:51 GMT

We recently upgraded from patch 9 to 11. Everything was stable in 9. Under patch 11 we lost all authentication against AD. Under TAC advisement we rolled back to 10 on a few nodes which broke the application services, effectively killing our entire deployment. We have since rebuilt the broken nodes back to 11 but still do not have AD authentication working.

I would recommend holding on 9 until all of this gets sorted out...

Re: Cisco ISE 2.2 - Most recent stable patch release

CB90021204 — Mon, 22 Oct 2018 20:44:56 GMT

Thanks everyone for your comments. We are hitting bug CSCvm80261 on patch 11, not aware of anything else yet. Will remain on patch 11.

Re: Cisco ISE 2.2 - Most recent stable patch release

Bryant Ho — Wed, 24 Oct 2018 16:37:12 GMT

We're also running into CSCvm80261 on patch 10 on two of our regional deployments.

Re: Cisco ISE 2.2 - Most recent stable patch release

packetplumber9 — Wed, 24 Oct 2018 17:18:16 GMT

My TAC case on this issue reported it is planned to be fixed in the Patch 12 release.