cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

118
Views
0
Helpful
5
Replies

Has anyone had any issues with ISE 2.4 patch 7

Hello,

I was wondering if anyone has had any issues with ISE 2.4 patch 7 after upgrading from version 2.3 patch 6?  I'm talking a direct upgrade and not a fresh install of 2.4 patch 7 from 2.3 patch 6.  Since I've upgraded, I've noticed alarms for license registration, AD diag tools finding issue yet providing no details, TACACS+ authorized commands lagging on NADs (ie brief pauses between executing commands), the Web GUI lagging, randomly getting an error that a PSN couldn't be contacted on the Certificate page when trying to expand a PSN to check my system certs, etc.  These are errors that I have never received on version 2.3.  In fact, I originally installed patch 8 and had to roll back to patch 7 due to bug ID CSCvn12442 which still found it's way in patch 8 although, according to TAC, patch 8 was supposed to be the fix.

I'm at a crossroad now because we will be looking to migrate our ISE VMs to another host but I'm leaning towards going back to 2.3 patch 6.  Unless someone can give me solid reason(s) for not downgrading, I may end up doing just that.  Thoughts???

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Has anyone had any issues with ISE 2.4 patch 7

From a high level your symptoms seem like they would indicate a network/connectivity issue. Assuming you haven't already, I would be looking for packet loss and retransmissions. One of the concerns I have about downgrading is that if you do not identify a root cause on 2.4, it's entirely possible that the same problem could exist with 2.3 and the timing was just a coincidence.

Interestingly enough, I also have customer with a relatively busy 6 node tacacs deployment that has logging issues. Patch 5 is where the deployment began, patch 8 resulted in no improvement. Still working through TAC on a root cause, but from a high level we are seeing syslog buffer files back up in the collector.
5 REPLIES 5
Enthusiast

Re: Has anyone had any issues with ISE 2.4 patch 7

I can relate to the licensing issue since I am still working on it. They changed the ISE VM licensing structure. See: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/213171-ise-2-4-upgrade-alarms-fewer-vm-license.html
Note that Cisco will tell you they are not enforcing it at the moment so services will not be affected. Cisco will also typically tell you that the even numebr version releases are the more suggested versions to run. I would recommend checking the bugs that have been identified with the release you are running. HTH!

Re: Has anyone had any issues with ISE 2.4 patch 7

Yeah I'll have to go back and revisit the release notes to see if any of what I'm experiencing is listed in the open caveats.  I've had to delay putting this into production for over a year due to hitting various bugs starting with 2.3.  The patch to fix the bug ID I mentioned above wasn't released until March of this year.  Now that I've upgraded, it appears that I'm getting worse performance than when I was on 2.3 with the March patch release.  So I'm now debating if I should go back or stay on this release and see what Cisco does with the next patch.

VIP Engager

Re: Has anyone had any issues with ISE 2.4 patch 7

From a high level your symptoms seem like they would indicate a network/connectivity issue. Assuming you haven't already, I would be looking for packet loss and retransmissions. One of the concerns I have about downgrading is that if you do not identify a root cause on 2.4, it's entirely possible that the same problem could exist with 2.3 and the timing was just a coincidence.

Interestingly enough, I also have customer with a relatively busy 6 node tacacs deployment that has logging issues. Patch 5 is where the deployment began, patch 8 resulted in no improvement. Still working through TAC on a root cause, but from a high level we are seeing syslog buffer files back up in the collector.

Re: Has anyone had any issues with ISE 2.4 patch 7

Hello,

Well the issue with TACACS+ accounting logs and live logs, in general, is no longer a problem since installing patch 7 on 2.4. As for the network/connectivity issue, none of these high level symptoms were an issue when I was on 2.3 patch 6. These problems didn't arise until I upgraded to 2.4. No other changes happened and I can confirm that because I keep logs of all changes made to network equipment and none were made.

I don't suspect 2.4 requires changes in the network.
Highlighted
Cisco Employee

Re: Has anyone had any issues with ISE 2.4 patch 7

Please contact TAC to further troubleshoot.