Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1322
Views
10
Helpful
9
Replies

ISE 2.4 P7: Can someone explain why this one enhancement required an urgent patch?

Nadav
Level 7
Level 7

‎04-03-2019 10:18 AM - edited ‎04-03-2019 10:57 AM

Hi everyone,

 

Recently patch 7 was released. Here is the only thing updated according to RN:

 

"This is an enhancement to implement master node APIs for multi-DNAC support in Cisco ISE."

 

So as of Patch 7 ISE supports multiple DNA-Cs. The bug search tool doesn't show any mention for Patch 7 [ 2.4(0.907) ] at all.

 

Any reason why this was urgent?

0 Helpful
9 Replies 9

Damien Miller
VIP Alumni
VIP Alumni

‎04-03-2019 10:54 AM

Thanks for the notice, I can't keep up with the patch frequency, nor can customer deployments. Crazy how large the patch file sizes are getting, 2 GB!

I find it suspicious that new functionality (but much needed) would be introduced in 2.4 with a patch. I thought this went against the new features in major releases, bug fixes in patches.
0 Helpful

Nadav
Level 7
Level 7
In response to Damien Miller

‎04-03-2019 10:56 AM

It honestly feels like Windows Update by this point :)
0 Helpful

Arne Bier
VIP
VIP
In response to Damien Miller

‎04-04-2019 06:23 AM

Patch 6 caused the size to go sky high (288 fixes introduced in patch 6).  I guess future ISE 2.4 patches will now always be at least 2GB.  Maybe ISE 2.6 patch is around the corner ... worth a look.

 

I am still getting these weird issues even in ISE 2.4 patch 6 - I don't have the time to raise a marathon of TAC cases like I used to.  All these random GUI red dialog boxes with obscure error messages that mean nothing. Happens randomly.  When adding Authorization Rules the save function sometimes only works on the second attempt.  Reordering Rules, and then click save doesn't always preserve the Rule in the spot where you placed it.  It's just absurdly badly written code.  Web design is not a new thing.  In contrast, I was using a Meraki dashboard today and you can see how web design is meant to look like - it's responsive and most of all - ROBUST! I feel safe in this GUI, no matter how long you stay in there and click around - and with Meraki there is a LOT of clicking around :-)

 

But ISE is not alone in the camp of disappointingly unreliable browser experience.  Cisco WLC GUI and Prime are just as badly written - must come from the same steaming pile of Java.  I expect failure every time I spend more than 30 minutes in these things.  Sorry, I went off topic ... :-(

Nadav
Level 7
Level 7
In response to Arne Bier

‎04-04-2019 08:59 AM - edited ‎04-04-2019 10:46 AM

There there, within a few years/decades SDA will automate everything so that you'll never have to touch another GUI ever again :)

 

But back to this disappointing reality. Have all those bugs you mentioned only appeared as of P6? Were they not around in earlier patches of 2.4?

 

BTW, if Cisco planned to release an urgent patch after P6, I would have expected it to include a fix for this:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp12131

 

I'm curious where you heard that 288 fixes were included in P6. Using the bug search, combining all 6 patches (1..6) has shown that there have been 331 fixes between all of them. P6 alone has 199 fixes. It's a big number, but not 288.

0 Helpful

Arne Bier
VIP
VIP
In response to Nadav

‎04-05-2019 03:49 AM

@Nadav  - you're right - I was exaggerating about the bug fixes - by my count it's 193 in the release notes (193 CSC entries for patch 6).  It's a big number for sure.

 

The GUI issues have been around since 2.3 and seem to permeate all versions since then. 

0 Helpful

Nadav
Level 7
Level 7
In response to Arne Bier

‎04-05-2019 04:17 AM

Oh, well the fact their web applications are buggy is nothing new.

Compared to ACS (where using an unsupported browser and saving policy changes can lead to a fresh installation) or Prime Collabortion Assurance (where entire submenus are inaccessible), ISE 2.4 has been a refreshing change. And those are considered massive improvements compared to the previous generation of products.

Cisco really needs to get behind a single web engine and maintain it properly for their entire portfolio. Use the old write-once-use-many approach. They have a vast workforce which could possibly make fantastic frontends.
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎04-04-2019 09:57 AM

I'm trying to get a few customer deployments to patch 6 and you aren't inspiring confidence. I was hoping it was the "be all end all fix everything we have broken in patch 5" patch.
0 Helpful

paul
Level 10
Level 10
In response to Damien Miller

‎04-05-2019 06:34 AM

Patch 6 fixed several key issues for sure.  CoA on reprofile was one of the key lingering issues that has been broken since 2.3.  The also fixed the FQDN lookup in the AD profile that was broken in patch 2 I think of 2.4. Netflow is no longer getting stuck trying to scan unresponsive hosts and causing 1-2 delays for NMAP scans.  Overall patch 6 has been a good one for most of my customers.

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎04-04-2019 10:14 AM

I can say after a meeting today that I'm glad this feature came, as odd as an enhancement in a patch is.  I have 14 DNAC clusters at a client that need to integrate with a single ISE instance. 

0 Helpful
Customers Also Viewed These Support Documents