cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

129
Views
1
Helpful
2
Replies
Highlighted
Beginner

ISE 2.0.1.130 Patch 6

Hi,

I need to apply Patch 6 to ISE 2.0.1.130. Current deployment is 2 nodes (SNS 3415's) with ISE-A admin (P), monitoring (P), PSN & ISE-B admin (S), monitoring (S) & PSN. ISE is used for wireless clients (phones, laptops) via Cisco WLC's, MAB & TACACS for switches. Infrastructure is configured with ISE-A/ISE-B's IPs (not pointing to a VIP behind a LB).

- Is it expected that there is an outage when you install the patch? I believe that the node needs to restart.

- What is the best way to control the installation to ensure zero downtime and is the process reliable or I should expect the nodes to have issues?

- If performing a GUI installation and ISE-A patch is installed but the node doesn't restart properly, is the patch installation on ISE-B stopped?

- Is it better to install the patch individually on the 2 nodes via the CLI and if yes, do you need to deregister the node before you install it? Any known issues when you need to re-register the node back? When the node restarts it will be on a different patch revision and therefore does this prevent config sync until ISE-B is patched?

Thanks,

Tom H.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: ISE 2.0.1.130 Patch 6

I'm an advocate for patching via the CLI.  For me it typically makes it a much quicker process.  I can patch multiple nodes at the same time while picking and choosing the orders for redundancy.  With two nodes you wont benefit from the parallel time savings but you do get to see patch fail/success status directly from the CLI session.  This allows you to choose your next action with future nodes. 

1. Each nodes will restart after the patch has finished installing.  If doing this from the gui then the first node will patch first, then the second will patch.  If you wish for more control in the process you can patch via the CLI and ensure the first node is up and functioning prior to patching the second.

2. Doing this for zero downtime would depend highly on how your NADs are configured.  Hopefully they are configured with both A and B radius servers.  If configured for two servers then failover would rely on the radius timers set on NADs or their default timers.  If you have very few NADs you could manually remove radius server A, patch, add A back, remove B, patch, add B back.  For any deployment I have worked on this would take far more time than worthwhile. 

3. I will defer to someone else on this as I'm not sure how a failure is handled in a two node deployment.  I have had patch failures on multi node deployments (never the initial node) and the process continues on to the next node once marked failed in the gui. 

4. To patch via the CLI you do not have to deregister, the nodes will continue to operate on mixed patch levels but would not recommend continuing this way for an extended period. 

2 REPLIES 2
VIP Advocate

Re: ISE 2.0.1.130 Patch 6

I'm an advocate for patching via the CLI.  For me it typically makes it a much quicker process.  I can patch multiple nodes at the same time while picking and choosing the orders for redundancy.  With two nodes you wont benefit from the parallel time savings but you do get to see patch fail/success status directly from the CLI session.  This allows you to choose your next action with future nodes. 

1. Each nodes will restart after the patch has finished installing.  If doing this from the gui then the first node will patch first, then the second will patch.  If you wish for more control in the process you can patch via the CLI and ensure the first node is up and functioning prior to patching the second.

2. Doing this for zero downtime would depend highly on how your NADs are configured.  Hopefully they are configured with both A and B radius servers.  If configured for two servers then failover would rely on the radius timers set on NADs or their default timers.  If you have very few NADs you could manually remove radius server A, patch, add A back, remove B, patch, add B back.  For any deployment I have worked on this would take far more time than worthwhile. 

3. I will defer to someone else on this as I'm not sure how a failure is handled in a two node deployment.  I have had patch failures on multi node deployments (never the initial node) and the process continues on to the next node once marked failed in the gui. 

4. To patch via the CLI you do not have to deregister, the nodes will continue to operate on mixed patch levels but would not recommend continuing this way for an extended period. 

Beginner

Re: ISE 2.0.1.130 Patch 6

Thanks Damien, yes all devices have both ISE IPs. I'll patch from the CLI.

Thanks,

Tom