topic Re: ISE Patching in Network Access Control

ISE Patching

benolyndav — Wed, 20 Aug 2025 14:57:07 GMT

Would an expired ISE system certificate cause an ISE deployment patch to fail ??

Thanks

Re: ISE Patching

Enes Simnica — Wed, 20 Aug 2025 15:01:14 GMT

gDay @benolyndav and no, an expired ISE system certificate won’t block a patch installation, but it can affect services like admin login, RADIUS/EAP, or HTTPS access, so it’s best to renew before patching........

-Enes

Re: ISE Patching

Rob Ingram — Wed, 20 Aug 2025 15:08:24 GMT

@benolyndav for patches no I don't believe so, but expired certificates are highlighted when you run a pre-upgrade health check and you should ensure the health check is sucessful before starting the upgrade.

Re: ISE Patching

benolyndav — Wed, 20 Aug 2025 15:09:01 GMT

Hi @Enes Simnica
Thanks for that, would you suggest exporting certs before patching ? I do this before the upgrade but not sure whether its required for patching.
Thanks

Re: ISE Patching

Enes Simnica — Wed, 20 Aug 2025 15:12:51 GMT

u r absolutely welcome @benolyndav. About ur quesiton; exporting certs isn’t required for patching, but it’s a good practice to back them up (along with the config) just like u do before an upgrade, for recovery if anything goes wrong.... U know just so u can sleep good LOOOL...

hope it helps!

-Enes

Re: ISE Patching

benolyndav — Wed, 20 Aug 2025 15:25:13 GMT

@Enes Simnica
I tried an export from cli and got the below message, any idea why I've done this before successfully. ??

Export Operation Failed. ISE CA keys are not in the trust store, check ISE node role or whether CA certificate is revoked/deleted

Thanks

Re: ISE Patching

Enes Simnica — Wed, 20 Aug 2025 15:30:55 GMT

@benolyndav That usually means the ISE node u’re exporting from isn’t the Primary Administration Node (PAN) or that the certificate authority keys were removed/revoked. Try the export from the PAN, and check under Administration - System - Certificates - Certificate Authority to confirm the CA keys are present and valid. Which means that if the keys are missing, u’ll need to re-import or regenerate them before export will work...

Re: ISE Patching

benolyndav — Wed, 20 Aug 2025 16:04:11 GMT

@Enes Simnica
I have just ran a tech-support and under deployment it states that the SEC PAN is actually ACTIVE and the PRI PAN STANDBY, you were right 🙂 any ideas why this would happen they are both online.??

Thanks

Re: ISE Patching

Enes Simnica — Wed, 20 Aug 2025 16:16:15 GMT

@benolyndav That can happen if the primary PAN lost communication with the rest of the deployment or a manual role swap occurred. Only one PAN can be active at a time, so if the secondary shows as active it has taken over. And my Cisco friend, i would suggest to check synchronization status, NTP alignment, and network connectivity between the PANs. So, if the primary is healthy, u can manually promote it back to active....

Re: ISE Patching

benolyndav — Wed, 20 Aug 2025 16:57:24 GMT

@Enes Simnica

Strange thing is though under the Deployment in the GUI the Secondary promote button is still highlighted and ready to press, and also I am not sure how to promote the PRI PAN back to Active there is no button for that.??
What I mean is when I log into ISE I'm still logging into the PRI PAN GUI, but show tech-support says the SEC PAN is ACTIVE
and also the CERT export didn't work from the PRI PAN but did from the SEC PAN ??

Thanks

Re: ISE Patching

Enes Simnica — Wed, 20 Aug 2025 17:03:34 GMT

@benolyndav alright I see. As I can remember from my last project, In ise only the secondary pan ever shows the Promote to Primary, button in the gui, which is whats expected. So the primary pan wont show a promote option cause its already designated as primary by role, even if its currently in standby... So let me use some bulletpoints to explain what is happening in ur case:

The Secondary PAN is currently Active (running the admin services).
The Primary PAN is in Standby (healthy, but not running admin services)

and to the primary pan back to active, u need to :

Make sure both nodes are synced with the well known show application status ise on both, and check Administration > System > Deployment > all services should show green).
From the GUI, click Promote to Primary on the Secondary. This will flip the roles, the Secondary becomes Standby and the Primary becomes Active again.
If the GUI button fails, you can do it via CLI: application config ise

and also before promoting, please please confirm ntp and replication status, because if the primary is out of sync, forcing it Active can cause database issues. And check this link also: Setting Up Cisco ISE in a Distributed Environment [Cisco Identity Services Engine] - Cisco Systems

hope it wasnt a looong answer, and hope it helps

-Enes

Re: ISE Patching

benolyndav — Tue, 26 Aug 2025 08:09:05 GMT

@Enes Simnica
So I tried this but it promoted the Secondary to PRI PAN as when I browsed to the SEC PANs address it was now the PRI PAN very weird do you think its a bug ??

P.S apologies for the late response

Re: ISE Patching

Enes Simnica — Tue, 26 Aug 2025 11:53:27 GMT

@benolyndav We good man. And actually, that’s actually expected, when you hit Promote to Primary on the Secondary, it flips roles, so the Secondary becomes the new Primary PAN. Not a bug. So u good!

hope it helped and stay EXPERT!

-Enes

Re: ISE Patching

Marcelo Morais — Tue, 26 Aug 2025 12:19:55 GMT

Hi @benolyndav ,

in an ISE Cluster you can have only 2 PANs, Primary and Secondary.

Whenever you hit the Promote to Primary button on the SPAN:

the SPAN becomes the PPAN, and you have to use the "Old SPAN" IP Addr to access the ISE GUI for administration.

About Certificate ...

You can export via CLI:

ise/admin# application configure ise

 Selection configuration option
 [1]Reset M&T Session Database
 ...
 [7]Export Internal CA Store
 [8]Import Internal CA Store
 ...
 [44]CA Diagnostic Tool
 [0]Exit

and via GUI:

at Administration > System > Certificates > Certificate Management > System Certificates:

at Administration > System > Certificates > Certificate Management > Trusted Certificates:

About your SPAN showing ACTIVE ...

PPAN and SPAN example:

ise/admin# show tech-support
 ...
 NAME             PERSONA   ROLE       ACTIVE  REPLICATION
 ---------------  -------   ---------- ------  ---------------
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PAN       PRIMARY    NONE    Not Applicable
 <Node Hostname>  MNT       SECONDARY  ACTIVE  SYNC COMPLETED
 <Node Hostname>  PSN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PXG       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  MNT       SECONDARY  STANDBY SYNC COMPLETED
 <Node Hostname>  PAN       SECONDARY  NONE    SYNC COMPLETED
 <Node Hostname>  PXG       SECONDARY  NONE    SYNC COMPLETED
 ...

please take a look if your SPAN is not also a PMnT, the ACTIVE is for the PMnT and not for the SPAN.

Hope this helps !!!

Re: ISE Patching

benolyndav — Tue, 26 Aug 2025 15:43:01 GMT

@Enes Simnica but when I try to export the certs via cli I get this message (Export Operation Failed. ISE CA keys are not in the trust store, check ISE node role or whether CA certificate is revoked/deleted) any idea why at all I ran a tech-support and it looks like the correct PAN is the PRI, I do see something I'm not too sure about its the (Not Applicable) any idea on that also

DC-STH-ISE-01 PAN,MNT SECONDARY ACTIVE SYNC COMPLETED
DC-NTH-ISE-01 PAN,MNT PRIMARY STANDBY Not Applicable

Re: ISE Patching

benolyndav — Tue, 26 Aug 2025 15:44:48 GMT

@Marcelo Morais
Thanks for the info , I see you have the Not Applicable is that how it is then for PRI PAN ??

Re: ISE Patching

Marcelo Morais — Tue, 26 Aug 2025 17:50:12 GMT

Hi @benolyndav ,

PPAN replication status is Not Applicable, because the PPAN is the Publisher (responsible for the replication), the other Nodes are the Subscribers:

ise/admin# show tech-support
 ...
 NAME             PERSONA   ROLE       ACTIVE  REPLICATION
 ---------------  -------   ---------- ------  ---------------
 ...
 <Node Hostname>  PAN       PRIMARY    NONE    Not Applicable
 ...

You can also check that in the GUI ... at Administration > System > Deployment > mouse on the Node Status bullseye:

for PPAN (Publisher) ... Message Count:

for the Other Nodes (Subscribers) ... Sync Status:

Hope this helps !!!