https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325791#M598000 At least we agree on PPAN first. I think the order I described is the same as what ISE developers chose when you patch via the GUI. I think that TAC has a more efficient method because you can test the patch on PSN a bit sooner. But apart from that it’s horses for courses.<BR /> Sat, 30 Aug 2025 11:30:01 GMT Arne Bier 2025-08-30T11:30:01Z https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325240#M597981 <P>Hi</P><P>Six node distributed ISE Deployment</P><P>Whats the recommended order to patch fronm cli please.??</P><P>1.PRI-PAN which is also SEC MNT</P><P>2.SEC-PAN which is also PRI MNT</P><P>3.PSNs</P> Thu, 28 Aug 2025 12:53:58 GMT https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325240#M597981 N3om 2025-08-28T12:53:58Z https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325405#M597984 <P>Always Primary PAN first. Then the next PAN, PSNs last. I can't remember seeing a documented technical reason why this order is good/necessary. I think it's possibly just common sense because the primary database is on the Primary Admin node and since it's in charge of writing to the database, it gets patched first.&nbsp; The operational benefit of doing PAN first, is that you "take the hit" of taking down the admin GUI first, and then you can monitor the rest of the patching process from the GUI.</P> Thu, 28 Aug 2025 21:32:32 GMT https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325405#M597984 Arne Bier 2025-08-28T21:32:32Z https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325462#M597989 <P>check some guidance :</P> <P><A href="https://www.youtube.com/watch?v=qV5-KY0CCQo&amp;t=177s" target="_blank">https://www.youtube.com/watch?v=qV5-KY0CCQo&amp;t=177s</A></P> <P>Post :</P> <P><A href="https://community.cisco.com/t5/network-access-control/patch-upgrade-in-cisco-ise-distributed-deployment/m-p/5287196" target="_blank">https://community.cisco.com/t5/network-access-control/patch-upgrade-in-cisco-ise-distributed-deployment/m-p/5287196</A></P> Fri, 29 Aug 2025 06:35:12 GMT https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325462#M597989 balaji.bandi 2025-08-29T06:35:12Z https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325783#M597999 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;wrote:<BR /><P>Always Primary PAN first. Then the next PAN, PSNs last. I can't remember seeing a documented technical reason why this order is good/necessary. I think it's possibly just common sense because the primary database is on the Primary Admin node and since it's in charge of writing to the database, it gets patched first.&nbsp; The operational benefit of doing PAN first, is that you "take the hit" of taking down the admin GUI first, and then you can monitor the rest of the patching process from the GUI.</P><HR /></BLOCKQUOTE><P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>:&nbsp; The poster asked about patching via the CLI.&nbsp; I just did one recently, and according to Cisco TAC, it should be in this order:</P><P>1- PAN</P><P>2- PSNs</P><P>3- SAN</P><P>&nbsp;</P> Sat, 30 Aug 2025 10:19:19 GMT https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325783#M597999 adamscottmaster2013 2025-08-30T10:19:19Z https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325791#M598000 At least we agree on PPAN first. I think the order I described is the same as what ISE developers chose when you patch via the GUI. I think that TAC has a more efficient method because you can test the patch on PSN a bit sooner. But apart from that it’s horses for courses.<BR /> Sat, 30 Aug 2025 11:30:01 GMT https://community.cisco.com/t5/network-access-control/ise-deployment-patching/m-p/5325791#M598000 Arne Bier 2025-08-30T11:30:01Z