Is ISE 3.4 stable for production?

Network Diver · ‎09-10-2025

Hi,

We're currently at ISE 3.1 patch 10. We intend to upgrade to ISE 3.4 patch 3 which is marked as suggested version now in Cisco's download portal. Since we've had many problems even with suggested software versions, I don't value a star in a Cisco download portal. Anyone using that version already in production and not just in a lab?

Intention is to fix the Windows 2025 active directory issue https://bst.cisco.com/quickview/bug/CSCwn62873

Thanks,

Bernd

Mark Elsen · ‎09-11-2025

- @Network Diver The post is a typical 'dead loop' ; you say I need the fix but I don't trust the Yellow Star,
well then that's it.

You say : I had many problems even with suggested software versions
Can you give a few technical examples of those ?
Often when I ask that question , no response can be given (triggering you!)

>...Anyone using that version already in production and not just in a lab?
I had a combined solution for the trust issue ;scary with the new version being suddenly deployed
everywhere

Usually ISE is business critical indeed.
What I always did is build the new ISE environment on a separate deployment.
Then I had a script based on the CISCO-CONFIG-COPY-MIB which could replace
(ISE) radius servers (actually PSN's) on 'milliseconds' in the running configuration of a
NAD (cisco switch or other). So for instance, during a couple of days I let only 2 switches
use the new ISE environment, follow up, and or check if no one complains.
Gradually I migrated other NAD's (and I could also roll back everything in seconds if needed)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Network Diver · ‎09-11-2025

Trust issue is not specific ISE software. We also had major issues with ASA firewall versions that erased configuration, FTD firewall that restarts LACP port-channel members or panics firewall due to SNMP monitoring, WLAN controller that looses ARP, and the rest I erased from memory.

Building a new environment alongside existing one is also my preferred method, especially we have ISE in a virtual environment. Unfortunately ISE is lacking exporting/importing all the configuration policy elements. Backup/restore works only if hostname does not change and not for cloning one environment to another. Changing the radius servers on switches and firewalls is the simplest task among all these. We did that for migration from ISE 2.x to 3.1. From my experience new stuff always works in test environments and once it goes into production, then are usually funny surprises.

Mark Elsen · ‎09-11-2025

- @Network Diver Well the methodology advised , is to contain those funny surprises in the beginning, but that requires the
manager to observe , scrutinize and analyze the new (small) environment properly
(otherwise the whole endeavor makes no sense)

So keep with this preferred method too , for this project. And also write and enter the policies from
scratch again on the new deployment (no restores needed)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Network Diver · ‎09-11-2025

Seems Cisco UCS-X blade system and Netapp AFF A400 SSD storage array is too weak for ISE upgrades. On what type of hardware is Cisco using that software? Quantum computers from Starship Enterprise?

Mark Elsen · ‎09-11-2025

- @Network Diver An issue that could well be outside of ISE, while those boxes look good; issue for instance
ise-admin # show tech | begin "disk IO perf"

Also checkout : https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/install_guide/b_ise_installationGuide34/b_ise_InstallationGuide_chapter_2.html#hardware-virtual-appliance-req

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Network Diver · ‎09-11-2025

Disk I/O seems okay. The whole ISE startup and upgrade process is just so slow. Upgrade of other software with similar complexity (e.g. Cisco Firewall Management Center) is done within minutes. We used ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova for deployment.

Measuring disk IO performance
*****************************************
Average I/O bandwidth writing to disk device: 292 MB/second
Average I/O bandwidth reading from disk device: 384 MB/second
I/O bandwidth performance within supported guidelines

What about the backup/restore upgrade procedure Cisco recommends here?
https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/upgrade_guide/Upgrade_Journey/Cisco_ISE_3-4_Upgrade_Journey.html

We really don't want to re-create all the policies from scratch. ISE is used for wired and wireless 802.1x EAP/TLS authentication and AnyConnect VPN with different tunnel groups and different locations.

I see the restore option has an option (don't tick restore ADE-OS) not to overwrite such things like hostname, IP address, deployment and I could restore all policies and endpoint data from ISE 3.1 to a ISE 3.4 test environment.

Network Diver · ‎10-07-2025

So far ISE 3.4 patch 3 is running fine. *KNOCKONWOOD*

Willdozer · ‎12-30-2025

I just completed an upgrade to ISE 3.4 patch 3 and now I can no longer see the interface port listed under NAD Port ID. That is one feature I used extensively and am disappointed that it now fails to load.

Any suggestions or does this sound like I need to contact TAC?

Mark Elsen · ‎12-31-2025

- @Willdozer Contact TAC ,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

ahollifield · ‎12-31-2025

It works just fine.

Willdozer · ‎12-31-2025

Ok, must just be my deployment then. It's been in service for quite a while. I'll see what TAC has to say about it. From what I'm finding online, there are options to reset and resync the Context Visibility to help clear things up, I just can't seem to find whether or not you lose any data or if everything is brought back into the Context Visibility tables from the database.

Willdozer · ‎01-05-2026

Turns out, there is a defect with Patch 3 per TAC. Here is their response:
There is a defect for this behavior. I have linked this defect below.
Can you rollback/uninstall patch 3 on all nodes? After removing patch 3 on all nodes, install patch 4. The fix is to install patch 4. However, there is another defect where if patch 4 is installed on top of patch 3, it will remove the attributes completely where you won’t see them in other attributes either. This is why I recommend removing patch 3 first, before installing patch 4.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp01928

Willdozer · ‎01-05-2026

Is it possible to ask Cisco to update the Suggested Release for ISE to 3.4 Patch 4 instead Patch 3? I was upgrading from 3.2 and would have gone right to Patch 4 instead of the suggested 3 and saved myself this grief.

ahollifield · ‎01-05-2026

IMO there is little reason not to go to the latest ISE patch. Personally, I only like following Suggest Release for major versions. Things like security vulnerabilities will require being on a newer version. There is ZERO reason to lag on security specific fixes just because its not a gold-star patch.