Solved: Cisco ISE upload patch

zeryu · ‎03-26-2020

Dear experts,

My customer is planning to upgrade 2.4 patch 11 to the cisco ISE node. It is a 2 node deployment with 2.4 patch 5 installed. According to the document, we should be able to install 2.4 patch 11.

I'm planning to install the patch via GUI, It will upgrade the primary PAN and then the secondary PAN, will there be a downtime for the services? Since patching the Primary PAN the secondary node is still functional working. After the primary node patched successfully, it should available to service and the secondary node starts patching.

And another query is that currently the memory and the disk are high usages for the ISE nodes. I think we should have at least the space for the patch packet to upload to the ISE. Where the patch upload to when we uploaded via GUI, should we just check the disk? (Command "show disk" to see the space left?)

Thanks for your time for the query, looking forward to the feedback!

Best Regards

zeryu

Damien Miller · ‎03-27-2020

On your first question, you have it correct. Both node 1 and node 2 are able to process log in requests. When the primary node is down, the secondary will be able to authenticate and vice versa.

Node 2 will begin to patch once node 1 comes back online. It's possible that there could be a brief impact if node 2 begins before node 1 has everything back up and running. For this reason I typically patch via the CLI, we can pause and verify that node 1 is operating correctly before moving on to the next node.

Lastly, you are correct, the patch file size is about ~2400 MB, but this is a compressed bundle of RPMs and scripts. When you upload the patch file and patching begins, a number of things happen. One, the patch file is extracted and the uncompressed files are saved to disk. The other piece that occurs is what appears to be a backup of current state files which likely accommodates a patch removal. There are two folders that end up in the root file system ./storedata/installed/<patch number> and ./storedata/installed/<patch number>/backup, these two folders consume about 12G for the most recent patches.

The patch will fail if you don't have enough disk space. ISE by default will try to keep disk usage of /opt/ under 80%. If you currently have any high disk alarms then you should be talking to TAC. You need more than ~2400 MB to install the patch as described above.

View solution in original post

Damien Miller · ‎03-26-2020

Yes, you can install 2.4 patch 11 directly to your deployment running patch 5. No issue with that.

Yes, there will be an impact to services, what that impact is depends on which node is going through patching, and the network device config. Assuming both nodes are running PSN services, then if the NADs are configured to point to both nodes, they will usually automatically switch over to the node still up. This section of the admin guide that I am linking goes through and covers which services and features will be impacted when you take down various nodes in a deployment.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID57

2.4 patch 11 will consume about 12 GB in my experience, this is a result of a backup of the existing files, and adding the new files within the patch.

zeryu · ‎03-27-2020

Hi Damien,

Thanks for your quick reply. Please let me explain more.

There are 2 PSN in the deployment and the NADs all pointed to both ISE nodes, currently, the ISE is a TACACS server. Assuming the ISE-1 node is installing the patch and ISE-2 node is waiting, the ISE-2 node still can answer the TACACS request and the admin can log in to the NAD and input the CLI based on the policy configured on ISE right?

And after the ISE-1 node finished installing the patch, the ISE-2 node starts installing the patch, so the NAD can send TACACS queries to the ISE-1 node, so can we say there is just going to be limited time (like 1-2 minutes) that 2 ISE node are all not running services?

And for the disk size, just checked on the cisco webpage that the size is 2453.92 MB, please correct me if I'm wrong, as long as the both ISE node disk has a free size bigger than the 2453.92 MB, it should not affect the patch installation process am I right? (I assume that upload patch packet via webpage will upload to the ISE disk and I input the CLI "show disk" will show the remaining space for the ISE node)

Thanks again for your response.

Best Regards

Zerui

Damien Miller · ‎03-27-2020

On your first question, you have it correct. Both node 1 and node 2 are able to process log in requests. When the primary node is down, the secondary will be able to authenticate and vice versa.

Node 2 will begin to patch once node 1 comes back online. It's possible that there could be a brief impact if node 2 begins before node 1 has everything back up and running. For this reason I typically patch via the CLI, we can pause and verify that node 1 is operating correctly before moving on to the next node.

Lastly, you are correct, the patch file size is about ~2400 MB, but this is a compressed bundle of RPMs and scripts. When you upload the patch file and patching begins, a number of things happen. One, the patch file is extracted and the uncompressed files are saved to disk. The other piece that occurs is what appears to be a backup of current state files which likely accommodates a patch removal. There are two folders that end up in the root file system ./storedata/installed/<patch number> and ./storedata/installed/<patch number>/backup, these two folders consume about 12G for the most recent patches.

The patch will fail if you don't have enough disk space. ISE by default will try to keep disk usage of /opt/ under 80%. If you currently have any high disk alarms then you should be talking to TAC. You need more than ~2400 MB to install the patch as described above.

zeryu · ‎03-28-2020

Noted with that. We will check with TAC before we install the patch with the disk free size issue. Thanks for your reply. Have a nice day!

Zerui