Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2527
Views
2
Helpful
23
Replies

ISE upgrade from 1.3 to 2.1

Go to solution
dot1x
Level 3
Level 3

‎11-15-2017 03:14 PM

Hi Champs!

A quick question: We are running ISE 1.3 and would like to upgrade.

Is there any stable version we could upgrade to?

I see we can directly update from 1.3 to 2.1, but not to 2.2.

Is it a good idea to update to 2.1?

We are running ISE in distributed environment with multiple nodes.

Thanks.

23 Replies 23

Go to solution
dot1x
Level 3
Level 3

‎12-12-2017 05:10 PM

Hi Champs!

What order should we apply the patch if we are using CLI?

Would there be any downtime when applying the patch individually on each node?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dot1x

‎12-12-2017 05:17 PM

Primary PAN first. Then, the rest can be in any order.

Yes, there would be downtime but you would have the control over which ISE nodes down when doing it via CLI. ISE patching usually will restart ISE services and some patches will reboot the O/S.

0 Helpful

Go to solution
dot1x
Level 3
Level 3
In response to hslai

‎12-12-2017 05:20 PM

Thanks hslai,

When we do the Primary PAN first, wouldn't there be a patch mismatch between Primary PAN and all other nodes?

Would this cause any issues?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dot1x

‎12-12-2017 05:28 PM

During patching, it's fine that not all ISE nodes in the same patch level as that is expected.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dot1x

‎12-12-2017 05:20 PM

Please check the admin guide on this process, it’s all explained

0 Helpful

Go to solution
dot1x
Level 3
Level 3
In response to Jason Kunst

‎12-12-2017 05:32 PM

The guide says:

When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment. Secondary Cisco ISE nodes are restarted consecutively after the patch is installed on those nodes. While installing a patch on secondary nodes, you can continue to perform tasks on the Primary PAN.


whichh I believe is true when we use GUI. I'd be using CLI to apply patch on individual nodes.

Any thoughts?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dot1x

‎12-12-2017 05:37 PM

Correct. The info is on using the ISE admin web UI to apply the patches.

When using CLI, the ISE admin has the control which one ISE node got applied first and when to start patching on any of the ISE nodes.

0 Helpful

Go to solution
dot1x
Level 3
Level 3

‎12-12-2017 05:35 PM

We have 2 PSNs running.

1. We update patch on Primary PAN.

2. Update patch on 1st PSN.

At this point of time Primary PAN has latest patch and 2nd PSN is on older patch. Would 2nd PSN still be working and authenticating the clients while 1st PSN patch update is in progress?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dot1x

‎12-12-2017 05:41 PM

Yes.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents