Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
15
Helpful
7
Replies

Cisco ISE 2.1 Patch Update

Go to solution
dot1x
Level 3
Level 3

‎10-21-2018 07:11 PM

Hi All,

 

Could someone please assist how long does it take to apply patch on Cisco ISE (distributed environment).

We have 1 PAN, 1 SAN, 3 PSNs running 2.1

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-21-2018 08:04 PM

I would plan for about 45 minutes a node. Each node will reload after patch instalation. 

View solution in original post

7 Replies 7

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-21-2018 08:04 PM

I would plan for about 45 minutes a node. Each node will reload after patch instalation. 

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-22-2018 03:32 PM

For production, I would suggest to apply patches via CLI because this way gives us a better control when and which ISE nodes to start patching and possible to do a few ISE nodes at the same time. Please remember to take an ISE CFG backup beforehand.

0 Helpful

Go to solution
dot1x
Level 3
Level 3
In response to hslai

‎10-22-2018 03:39 PM

Thanks for response.
If we go with CLI, is there any specific sequence we should follow?
Also, what would be the downtime for the users?
Thanks.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dot1x

‎10-22-2018 03:44 PM

First to the primary ISE node and the rest can be in any given order. Best to schedule a maintenance window and use a load balancer to take patching PSNs offline or online.

Go to solution
dot1x
Level 3
Level 3
In response to hslai

‎10-22-2018 03:53 PM

For 5 nodes deployment, a maintenance window of 5 hours would work?
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to dot1x

‎10-22-2018 03:57 PM - edited ‎10-22-2018 03:58 PM

Start with the primary admin node, then choose the node order you want after that. 5 hours should be enough for five nodes.  

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0100.html#ID202
"If you are installing the patch from the CLI, you can control the order in which the nodes are updated. However, we recommend that you install the patch on the Primary PAN first."

You will use the command "patch install <patch name> <repo name that has patch file>"

The impact to users and services depends on which node is patching and your HA config. If you have redundant radius servers configured on your NAD's then user impact should be relatively minor.

Read this section of the admin guide to see what will be unavailable while the primary admin node is down/patching.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID59

Go to solution
dot1x
Level 3
Level 3
In response to Damien Miller

‎10-22-2018 04:09 PM

Thanks guys!
0 Helpful
Customers Also Viewed These Support Documents