Solved: Cisco ISE 2.2 - Most recent stable patch release

CB90021204 · ‎10-21-2018

Hello, I upgraded my ISE deployment to ISE 2.2 patch 11. I see that ISE 2.2 patch 11 has since been deferred.

What does Cisco recommend as the stable ISE 2.2 Patch release? Should we wait for Patch 12 or roll back to 9 or 10?

SEVT on Oct 7-13 recommended ISE 2.2 Patch 9. Just wondering if this is still the Cisco recommended patch release?

Thanks,

packetplumber9 · ‎10-24-2018

My TAC case on this issue reported it is planned to be fixed in the Patch 12 release.

View solution in original post

Cory Peterson · ‎10-22-2018

In the very near future ISE 2.4 Patch 4 will be the recommended version of ISE.

I would expect this in the next couple weeks.

anthonylofreso · ‎10-22-2018

It's a fair question, and one that's becoming increasingly difficult to answer. I've shared some feedback with a few folks at Cisco regarding patches lately:

New patches consistently break existing functionality, or introduce new bugs. Examples

Patch 7 & Patch 8 for v2.2 came bundled with two new memory leaks: CSCvf22318 & CSCvf47316
Patch 9 breaks “Add Endpoint” on the context visibility page
I’ve been following two - posts in the communities that document Patch 10 breaking deployments

And now, patch 11 has been recalled. In my opinion, more rigor needs to be applied to patching. I'm very much a fan of Continuous Improvement, and rapid releases... but this methodology, when applied appropriately, should not introduce the number of flaws we've seen lately with these patches.

This often leaves us in a difficult position when TAC is advising us to patch ISE before further troubleshooting can occur, but the patch they would like us to move to will knowingly introduce additional issues.

Damien Miller · ‎10-22-2018

I won't argue with you on that, it's painful. For what it's worth, 2.4 has been pretty stable for us lately, we had some early issues with high impact, but we were able to have hot fixes generated. All of the main issues we were facing are now addressed in patch 4. It shows some promise of increased software quality. Too many regressions and recalled patches in the past year.

richard.allen1 · ‎10-22-2018

We recently upgraded from patch 9 to 11. Everything was stable in 9. Under patch 11 we lost all authentication against AD. Under TAC advisement we rolled back to 10 on a few nodes which broke the application services, effectively killing our entire deployment. We have since rebuilt the broken nodes back to 11 but still do not have AD authentication working.

I would recommend holding on 9 until all of this gets sorted out...

hslai · ‎10-22-2018

If ISE 2.2 Patch 11 is working fine in your deployment, please keep it as it is for now. If you are planning to rollback, please engage Cisco TAC, due to CSCvm92278.

CB90021204 · ‎10-22-2018

Thanks everyone for your comments. We are hitting bug CSCvm80261 on patch 11, not aware of anything else yet. Will remain on patch 11.

Bryant Ho · ‎10-24-2018

We're also running into CSCvm80261 on patch 10 on two of our regional deployments.

packetplumber9 · ‎10-24-2018

My TAC case on this issue reported it is planned to be fixed in the Patch 12 release.