topic Re: log4j hotfix CSCwa47133 - ISE distributed environment in Network Access Control

log4j hotfix CSCwa47133 - ISE distributed environment

ValentinPuiu91087 — Mon, 20 Dec 2021 14:18:39 GMT

Hello guys,

In a distributed environment is there a specific order in which the hot fix needs to be done? I'm having an 11 node setup, with 2 PAN. I assume the patch should start with the primary PAN, secondary PAN and then all the other PSN nodes. Is this correct?

Have someone already did it?

Thank you!

Re: log4j hotfix CSCwa47133 - ISE distributed environment

Mark Elsen — Mon, 20 Dec 2021 17:10:50 GMT

- I don't think it really matters , because for this patch , no ise (internal) communications dependencies are involved.

Re: log4j hotfix CSCwa47133 - ISE distributed environment

Damien Miller — Mon, 20 Dec 2021 17:17:40 GMT

I can confirm that the order it is applied in does not matter. You just need to apply the hotfix to each node in the order of your choosing keeping in mind that the services will restart when you run it on that specific node, so most would do it one node at a time.

Re: log4j hotfix CSCwa47133 - ISE distributed environment

dm2020 — Mon, 20 Dec 2021 17:29:04 GMT

@Damien Miller

Do you know what the recommendations are with the log4j hotfix if you have PAN failover enabled? Should this be disabled before applying the hotfix or does it not matter?

Re: log4j hotfix CSCwa47133 - ISE distributed environment

Damien Miller — Mon, 20 Dec 2021 17:37:57 GMT

I would disable it before applying this hotfix, you don't want to take the extended outage for both PANs switching around on you while you're doing this work.

Re: log4j hotfix CSCwa47133 - ISE distributed environment

ValentinPuiu91087 — Tue, 21 Dec 2021 07:36:36 GMT

Thank you! Really helpful.

Yesterday evening I patched our 11 virtual nodes environment. Started with the far PSNs and ending with the 2 PAN nodes, for which I did manual failover - PA PM and upgrade the SA SM.

Downtime per application restart ~ 10 minutes.

Merry Christmas and a Happy new Year!
Vali Puiu

Re: log4j hotfix CSCwa47133 - ISE distributed environment

nikhil_shinde — Fri, 07 Jan 2022 08:11:41 GMT

Could you please provide a link to guide which explains the procedure step by step?. I am doing it for very first time and we have total 6 PSN nodes and 2 PAN nodes in HA mode.

Re: log4j hotfix CSCwa47133 - ISE distributed environment

ValentinPuiu91087 — Fri, 07 Jan 2022 12:00:43 GMT

Everything what you need to do is specified in the release notes of the patch. See description below.

1.copy the patch to a repository which is reachable from ISE

2.connect CLI to each node, copy the patch from repo and update the application

It doesn't matter the order, the cluster will not brake as this is a hotfix. The downtime is around 10-15 minutes per node. Do them 1 by 1.

=================================================
README for installing Hot Patch to fix CSCwa47133 
=================================================

This hot patch is to address CSCwa47133 (related to Apache Log4j2)

Download the following files from CCO.
                                                               
ise-apply-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz 
ise-rollback-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz


Confirm that the hash of the downloaded files matches the ones listed on CCO.
Copy the files to repository which is reachable from ISE.
Configure the repository in ISE to start the installation process.

===================
Few important notes
===================

This hot patch is only for Patch 1 of ISE 3.1 release.

This needs to be installed on every ISE node in a deployment.

===============
How to install 
===============

Login to ISE CLI
Invoke the following command to install the bundle which will apply the hot patch:

"application install ise-apply-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz <REPOSITORY_NAME>" 

=======================================================
How to Verify whether patch has installed successfully
=======================================================

Login to ISE CLI
Execute the command "show logging application hotpatch.log"
It should show that 'CSCwa47133_3.1.0.518_patch1' is installed, this will confirm that the hot patch was successfully installed.

===============
How to Rollback 
===============

(Note: This is only required if you need to remove the hot patch)

Login to ISE CLI
Invoke the following command to rollback the hot patch:

"application install ise-rollback-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz  <REPOSITORY_NAME>""