Re: Cisco ISE 3.1 patch 10

trondaker · ‎02-08-2025

Installing patch 10 because of the vulnerability, but the PAN is stuck in a loop - installing patch 10, getting the error:

Error: ISE Integrity Check Failed! One or more ISE program files appears to
% be tampered with. Check system log for specific error(s).

patch remove ise 10, then it reboots, removes the patch, and just starts applying it again. Any tips?

Scott Fella · ‎02-08-2025

Do you have a multi node deployment? I would open a TAC case just in case you have outages, but I ran into a similar issue and I had to shut down the PAN, I promoted the secondary to primary, deregistered the old primary, factory reset the old primary and once that came back up, I joined it back, waited for the nodes to be sync'd and then promoted that back to primary.

As far as issues with the install, that would be something I would have TAC available in case it happens again.

-Scott
*** Please rate helpful posts ***

trondaker · ‎02-08-2025

Yes, three PSNs (one of which is secondary admin) and the primary which now is bricked. Have requested the case through our partner, but not sure if i should just promote the secondary now?

Scott Fella · ‎02-08-2025

You can wait for support, that won't hurt unless you have some outage right now. What you will probably to asked, it what was mentioned, promote the secondary, then they will review that all the nodes are in sync or not. That is the tricky part, if your nodes are in sync or not with the secondary.

-Scott
*** Please rate helpful posts ***

marce1000 · ‎02-08-2025

- Check the output from show logging system ade/ADE.log when trying this
This example bug report points to a possible issue with
'parch sequencing' https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb70401

Probably best to involve TAC when you cannot get it resolved ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

oumodom · ‎02-10-2025

Hi @marce1000 that was kind of old issue which resolved by v3.1 P4, since @trondaker perform P10.
Why is it related?

As planning to perform upgrade p10, we do concerns the ise functional if it was issue as above.

trondaker · ‎02-10-2025

I would be careful with p10 - we had to promote secondary to pan, and are now rebuilding the whole cluster on a new version.

oumodom · ‎02-11-2025

Would you mind sharing, what is the previous patch before upgrading to P10 ise v3.1?
And also what upgrading through CLI or GUI?

@trondaker @Scott Fella

trondaker · ‎02-11-2025

Had patch 3, 7 and 9 installed before, used the GUI to apply the patch. PAN rebooted on new patch, but cant start application server and goes to "not running" on all services. patch remove ise 10 works, but then just starts the process of applying patch 10 again after reboot.

oumodom · ‎02-11-2025

As TAC recommends to minimize impact or issue, they suggest to upgrade via CLI. not suggest for GUI.
As mentioned above, you have 3 PSNs node, so you patch firstly from secondary admin node (SAN) and lastly for PAN node right in cluster right? @trondaker

ben-fiebelkorn · ‎03-04-2025

I'm having the same issue today. Went from patch 9 to patch 10 using the gui on the PAN. I can remove the patch from the CLI but then it reboots and applies the patch again. The application server won't come up no matter how many times I stop/start services on the PAN.

trondaker · ‎03-04-2025

Did you open a tac-case? We just rebuilt on 3.3.

BlackSharpie · ‎02-11-2025

Looking to do the P10 install next week. We are currently running Version: 3.1.0.518 Patch 6 on a two node VM deployment. For those who have had a successful installation, how long did it take? Trying to get an estimate of downtime for our maintenance window. Any tips or advice appreciated.

BlackSharpie · ‎02-20-2025

We applied patch 10 last night to our 3.1.0.518 Patch 6 two node VM deployment. I used the GUI method and there were no issues. Total time was 1 hour. If I could offer any advice, it would be to use the CLI as there is no progress indication in the GUI so you will have no idea how your upgrade is going. In the GUI, after the install button is clicked, it remains available so you really don't know that installation has begun.