topic Re: patch ISE server from 3.3 patch-4 to patch-6 via CLI in Network Access Control

patch ISE server from 3.3 patch-4 to patch-6 via CLI

adamscottmaster2013 — Mon, 14 Jul 2025 12:16:00 GMT

I do not have a test environment to test so I am asking here. I have a five nodes cluster environment 3.3 patch-4 and I need to get them to patch-6, in a safe way. My environment:

node1: Primary Admin, Secondary MnT

node2: Secondary Admin, Primary MnT

node3: PSN

node4: PSN

node5: PSN

My plan is to patch these ISE servers through the CLI, in this order:

A- patch node2 (Secondary Admin, Primary MnT) first,

B- patch node3 (PSN) after that,

C- wait for one week to confirm that everything is still working,

D- patch node4 (PSN) and node5 (PSN),

E- patch node1 (Primary Admin, Secondary MnT)

I just don't want to patch all the systems and if they have issues, have to roll everything back, which might involve downtime. I talked to Cisco TAC in the past, and I think they told me this method would be ok too, but I can't recall.

Anyone seeing issues with this?

TIA

Re: patch ISE server from 3.3 patch-4 to patch-6 via CLI

Torbjørn — Mon, 14 Jul 2025 12:49:56 GMT

It is pretty unorthodox to do it this way, but it should work fine. Ideally you would upgrade your deployment in one go - ISE patching is pretty safe. It is very rare for it to cause issues in my experience.

I would also alter the procedure somewhat if you go down this route.

Upgrade both PAN nodes, these won't cause network downtime for authentication and this is where I would guess any patch-version differences to cause issues if any should occur.
Upgrade 1 PSN, wait and verify.
Upgrade the remaining PSN nodes.

Re: patch ISE server from 3.3 patch-4 to patch-6 via CLI

adamscottmaster2013 — Mon, 14 Jul 2025 13:57:40 GMT

Thank you @Torbjørn. I would rather avoid upgrading both PAN nodes at the same time, because if things don't work and I have to rollback, nobody can log into ISE and make configuration changes. I've done enough ISE patching upgrades to know that it works well 95% of the time but I was part of the 5% that had issues. Better safe than sorry, but your point is well taken.

Re: patch ISE server from 3.3 patch-4 to patch-6 via CLI

Marcelo Morais — Tue, 15 Jul 2025 23:04:12 GMT

Hi @adamscottmaster2013 ,

I prefer to Deregister some Nodes from the Cluster before an update.

This way I can test the new patch, where all the Nodes are patched, and also have a rollback plan using the deregistered Nodes.

Note: I'm doing this for a recently update from 3.3 P4 to 3.3 P6, so far P6 is OK.

Hope this helps !!!

Re: patch ISE server from 3.3 patch-4 to patch-6 via CLI

Marcelo Morais — Thu, 17 Jul 2025 18:09:39 GMT

Hi @adamscottmaster2013 ,

please pay special attention to the new ISE 3.3 P7 - Resolved Caveats:

Hope this helps !!!