Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
5
Replies

Has anyone had any issues with ISE 2.4 patch 7

Go to solution
Terence Lockette
Level 1
Level 1

‎06-14-2019 08:07 AM

Hello,

I was wondering if anyone has had any issues with ISE 2.4 patch 7 after upgrading from version 2.3 patch 6?  I'm talking a direct upgrade and not a fresh install of 2.4 patch 7 from 2.3 patch 6.  Since I've upgraded, I've noticed alarms for license registration, AD diag tools finding issue yet providing no details, TACACS+ authorized commands lagging on NADs (ie brief pauses between executing commands), the Web GUI lagging, randomly getting an error that a PSN couldn't be contacted on the Certificate page when trying to expand a PSN to check my system certs, etc.  These are errors that I have never received on version 2.3.  In fact, I originally installed patch 8 and had to roll back to patch 7 due to bug ID CSCvn12442 which still found it's way in patch 8 although, according to TAC, patch 8 was supposed to be the fix.

I'm at a crossroad now because we will be looking to migrate our ISE VMs to another host but I'm leaning towards going back to 2.3 patch 6.  Unless someone can give me solid reason(s) for not downgrading, I may end up doing just that.  Thoughts???

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-14-2019 11:39 AM

From a high level your symptoms seem like they would indicate a network/connectivity issue. Assuming you haven't already, I would be looking for packet loss and retransmissions. One of the concerns I have about downgrading is that if you do not identify a root cause on 2.4, it's entirely possible that the same problem could exist with 2.3 and the timing was just a coincidence.

Interestingly enough, I also have customer with a relatively busy 6 node tacacs deployment that has logging issues. Patch 5 is where the deployment began, patch 8 resulted in no improvement. Still working through TAC on a root cause, but from a high level we are seeing syslog buffer files back up in the collector.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-14-2019 08:26 AM

I can relate to the licensing issue since I am still working on it. They changed the ISE VM licensing structure. See: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/213171-ise-2-4-upgrade-alarms-fewer-vm-license.html
Note that Cisco will tell you they are not enforcing it at the moment so services will not be affected. Cisco will also typically tell you that the even numebr version releases are the more suggested versions to run. I would recommend checking the bugs that have been identified with the release you are running. HTH!
0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Mike.Cifelli

‎06-14-2019 10:55 AM

Yeah I'll have to go back and revisit the release notes to see if any of what I'm experiencing is listed in the open caveats.  I've had to delay putting this into production for over a year due to hitting various bugs starting with 2.3.  The patch to fix the bug ID I mentioned above wasn't released until March of this year.  Now that I've upgraded, it appears that I'm getting worse performance than when I was on 2.3 with the March patch release.  So I'm now debating if I should go back or stay on this release and see what Cisco does with the next patch.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-14-2019 11:39 AM

From a high level your symptoms seem like they would indicate a network/connectivity issue. Assuming you haven't already, I would be looking for packet loss and retransmissions. One of the concerns I have about downgrading is that if you do not identify a root cause on 2.4, it's entirely possible that the same problem could exist with 2.3 and the timing was just a coincidence.

Interestingly enough, I also have customer with a relatively busy 6 node tacacs deployment that has logging issues. Patch 5 is where the deployment began, patch 8 resulted in no improvement. Still working through TAC on a root cause, but from a high level we are seeing syslog buffer files back up in the collector.
0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Damien Miller

‎06-14-2019 12:16 PM

Hello,

Well the issue with TACACS+ accounting logs and live logs, in general, is no longer a problem since installing patch 7 on 2.4. As for the network/connectivity issue, none of these high level symptoms were an issue when I was on 2.3 patch 6. These problems didn't arise until I upgraded to 2.4. No other changes happened and I can confirm that because I keep logs of all changes made to network equipment and none were made.

I don't suspect 2.4 requires changes in the network.
0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Terence Lockette

‎06-17-2019 12:34 AM

Please contact TAC to further troubleshoot.

0 Helpful
Customers Also Viewed These Support Documents