cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

143
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

ISE patch while upgrading

Is there a way to apply a patch while you're upgrading an ISE environment?  My use case is, if a customer is upgrading from ISE 2.2 to 2.4, they start with their Secondary Admin, Primary Monitoring, then they start upgrading their PSNs.  However, during this process the newly upgraded PSNs will be vulnerable to any bugs in the base 2.4 code, and users being migrated to the upgraded PSNs will be exposed to those bugs.  Is there a way to apply a patch to each node as they're being upgraded to avoid unnecessary issues?

 

Thanks,

Matt

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: ISE patch while upgrading

Short answer no. During the upgrade process the databases will be tweaked
by starting with secondary PAN then making it ready to accept PSNs until
primary PAN is upgraded and rejoined the upgraded deployment. If you alter
the database with patches you mightnot be able to recover.
4 REPLIES 4
Cisco Employee

Re: ISE patch while upgrading

I see that you can apply patches prior to registering PSNs to the upgraded deployment per this document: https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934#toc-hId--718381845

 

Cisco Employee

Re: ISE patch while upgrading

To recap our discussion offline on this, Surendra and Mohammed al Baqari are both correct in case of using the guided upgrade in ISE admin web UI. Whereas ISE Upgrades - Best Practices describes additional options, besides the UI guided upgrade. The other options could be preferable, for sizable ISE deployments, for those ISE Releases unable to upgrade directly to ISE 2.4 or 2.6, or other considerations.

 

Cisco Employee

Re: ISE patch while upgrading

Unfortunately, you will not be able to upgrade to rest of the deployment if you do so. The nodes will be upgraded for a brief moment before they fail to join the upgraded deployment and are rolled back. What you can test is though is to apply patches, test the user authentications, see if they are working, roll back the patches and then upgrade the rest of the deployment. This is not a tested path as such but going by the logic, this should work and you will be doing it at your own risk.
VIP Advisor

Re: ISE patch while upgrading

Short answer no. During the upgrade process the databases will be tweaked
by starting with secondary PAN then making it ready to accept PSNs until
primary PAN is upgraded and rejoined the upgraded deployment. If you alter
the database with patches you mightnot be able to recover.