cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
567
Views
1
Helpful
2
Replies

ISE 2.0.1.130 Patch 6

holdentom218
Level 1
Level 1

Hi,

I need to apply Patch 6 to ISE 2.0.1.130. Current deployment is 2 nodes (SNS 3415's) with ISE-A admin (P), monitoring (P), PSN & ISE-B admin (S), monitoring (S) & PSN. ISE is used for wireless clients (phones, laptops) via Cisco WLC's, MAB & TACACS for switches. Infrastructure is configured with ISE-A/ISE-B's IPs (not pointing to a VIP behind a LB).

- Is it expected that there is an outage when you install the patch? I believe that the node needs to restart.

- What is the best way to control the installation to ensure zero downtime and is the process reliable or I should expect the nodes to have issues?

- If performing a GUI installation and ISE-A patch is installed but the node doesn't restart properly, is the patch installation on ISE-B stopped?

- Is it better to install the patch individually on the 2 nodes via the CLI and if yes, do you need to deregister the node before you install it? Any known issues when you need to re-register the node back? When the node restarts it will be on a different patch revision and therefore does this prevent config sync until ISE-B is patched?

Thanks,

Tom H.

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

I'm an advocate for patching via the CLI.  For me it typically makes it a much quicker process.  I can patch multiple nodes at the same time while picking and choosing the orders for redundancy.  With two nodes you wont benefit from the parallel time savings but you do get to see patch fail/success status directly from the CLI session.  This allows you to choose your next action with future nodes. 

1. Each nodes will restart after the patch has finished installing.  If doing this from the gui then the first node will patch first, then the second will patch.  If you wish for more control in the process you can patch via the CLI and ensure the first node is up and functioning prior to patching the second.

2. Doing this for zero downtime would depend highly on how your NADs are configured.  Hopefully they are configured with both A and B radius servers.  If configured for two servers then failover would rely on the radius timers set on NADs or their default timers.  If you have very few NADs you could manually remove radius server A, patch, add A back, remove B, patch, add B back.  For any deployment I have worked on this would take far more time than worthwhile. 

3. I will defer to someone else on this as I'm not sure how a failure is handled in a two node deployment.  I have had patch failures on multi node deployments (never the initial node) and the process continues on to the next node once marked failed in the gui. 

4. To patch via the CLI you do not have to deregister, the nodes will continue to operate on mixed patch levels but would not recommend continuing this way for an extended period. 

View solution in original post

2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

I'm an advocate for patching via the CLI.  For me it typically makes it a much quicker process.  I can patch multiple nodes at the same time while picking and choosing the orders for redundancy.  With two nodes you wont benefit from the parallel time savings but you do get to see patch fail/success status directly from the CLI session.  This allows you to choose your next action with future nodes. 

1. Each nodes will restart after the patch has finished installing.  If doing this from the gui then the first node will patch first, then the second will patch.  If you wish for more control in the process you can patch via the CLI and ensure the first node is up and functioning prior to patching the second.

2. Doing this for zero downtime would depend highly on how your NADs are configured.  Hopefully they are configured with both A and B radius servers.  If configured for two servers then failover would rely on the radius timers set on NADs or their default timers.  If you have very few NADs you could manually remove radius server A, patch, add A back, remove B, patch, add B back.  For any deployment I have worked on this would take far more time than worthwhile. 

3. I will defer to someone else on this as I'm not sure how a failure is handled in a two node deployment.  I have had patch failures on multi node deployments (never the initial node) and the process continues on to the next node once marked failed in the gui. 

4. To patch via the CLI you do not have to deregister, the nodes will continue to operate on mixed patch levels but would not recommend continuing this way for an extended period. 

Thanks Damien, yes all devices have both ISE IPs. I'll patch from the CLI.

Thanks,

Tom