Re: Cisco ISE 3.3 patch-7

adamscottmaster2013 · ‎07-24-2025

Good morning technology people,

Has anyone applied patch-7 on your 3.3 ISE environment? I am almost 100% that this patch is NOT thoroughly tested by Cisco prior to releasing it. I have to patch my 3.3 patch-6 system in about two weeks (due to security issues). I would like to know if anyone has run into any issues after applying patch-7.

TIA...

balaji.bandi · ‎07-24-2025

 I am almost 100% that this patch is NOT thoroughly tested by Cisco prior to releasing it.

Its all depends on environment, i am testing in my Lab, have some good testing once, not seen any issue, if you have distributed environment apply the patch to one of the node and monitor., if any issue we always rely on TAC, since they are SME to answer.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marcelo Morais · ‎07-24-2025

Hi @adamscottmaster2013 ,

I already applied ISE 3.3 P7 on ISE Clusters with 4x Nodes, 12x Nodes and 14x Nodes ... so far so good !!!

Note: VM Clusters using 3755 and 3795.

Hope this helps !!!

Arne Bier · ‎07-24-2025

I applied patch 7 on top of patch 6 in two separate deployments. In both cases, no issues. But in the second deployment (large distributed) one of my PSNs didn't take the patch and, even after multiple reboots and application resets, I could not revive the node - it was trashed. I deleted and rebuilt the VM. Very odd, because this deployment has been patched a few times and never had any issues. I give my PSN's 300GB disk, and I wonder if that is truly too small, because the issue might have been related to the database that didn't recover. Even though it was just a PSN, I think there comes a point (bug) where the Oracle just gets trashed because of the 300GB. There is plenty of free disk - but not on the database partition. No idea - I didn't open a TAC case for this.

Marcelo Morais · ‎07-24-2025

@Arne Bier ,

interesting ... all the Cluster that I upgraded to 3.3 P7 were 600GB (PAN and PSN) and 2TB (MnT).

muinclude · ‎08-19-2025

After upgrading from ISE 3.3.0 Patch 6 to Patch 7, I noticed the following issue:

When devices lose their connection to ISE and then reconnect, users configured in ISE are unable to log in to the devices.
The following error is shown:
13017 Received TACACS+ packet from unknown Network Device or AAA Client
Workaround:
Deleting and re-adding the affected device in ISE resolves the issue and normal login is restored.
Impact:
This affects any device that temporarily loses connection with ISE and then tries to authenticate, causing administrative logins to fail until the device is re-registered.
Request:
Has anyone else observed this behavior on Patch 7? Is there a recommended fix or a planned patch addressing this issue?

henry.astorga · ‎09-10-2025

Hello Sir, I have installed patch 7 on my v3.3 deployment which has been running for several weeks now and the new issues I have seen is that IP addresses are sometimes not showing up on endpoint profiles in Context Visibility. The same issue is now seen on my Catalyst 9K switches where the IP address does not show up on some ports when running a "show auth sess" with detail. I have a couple TAC cases open and they say they are aware of the issue and are working for a fix.

Leo Laohoo · ‎09-10-2025

@henry.astorga wrote:
The same issue is now seen on my Catalyst 9K switches where the IP address does not show up on some ports when running a "show auth sess" with detail. I have a couple TAC cases open and they say they are aware of the issue and are working for a fix.

Are these endpoints Cisco APs?

henry.astorga · ‎09-11-2025

Hello Leo, no they are not AP endpoints. The endpoints are mostly PC's connected through IP phones to the access switch or just the PC connected to the access switch port. I had forgot to mention before that the patch 7 was applied on already running patch 6 ISE v3.3.

Leo Laohoo · ‎09-11-2025

Please check if the IP address are shown in device tracking:

sh device-tracking database

We have issues where the command "sh authentication sessions interface <PORT> detail" does not display the IP address of the endpoint but this is mostly happening to some switches and not all. I attribute this behaviour to something misconfigured in the switch because the vast majority of our switches (classic IOS and IOS-XE) are fine.

henry.astorga · ‎09-11-2025

Leo, they do show up in device tracking. I have a TAC case open so not sure you can come up with anything more than what TAC is working on. We have checked all that related output and that is why its such an odd problem. TAC case is still in progress to figure out root cause.

Regards,
Henry

balaji.bandi · ‎09-10-2025

 TAC cases open and they say they are aware of the issue and are working for a fix.

this is very interesting to hear from TAC, what is the issue ? did they gave any reference open bug ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahollifield · ‎09-10-2025

What exactly are you basing that statement on? lol

I have it on several deployments with zero issues.

adamscottmaster2013 · ‎09-11-2025

Several minor and critical issues after going from 3.3 patch-6 to patch-7:

- Backup is working properly but I get a message in syslog that "Alarms: No Configuration Backup Scheduled". Had to disable/enable backup for the message to disappear,

- Secondary Admin/Primary MnT stopped replicating to the Primary Admin/Secondary MnT. The process on this node was messed up so bad that I didn't receive email notification. Worse, it also lost connectivity to Active Directory. Had to reboot the node to resolve the issue.

Leonardo Santana · ‎09-11-2025

Hi,

I already applied Cisco ISE 3.3 Patch 7 and its running without any issues.

Regards
Leonardo Santana

*** Rate All Helpful Responses***