From the Primary, it says the patch has been installed on both, and I can see the version in Server details.

I didnt think it runs on the secondary?, if I do a show application status ise, it says no applications are running on the secondary.

do you think an "application start ISE" is needed then?

Secondary Node:

ISE PROCESS NAME                       STATE            PROCESS ID
--------------------------------------------------------------------
Database Listener                      running          4559
Database Server                        running          96 PROCESSES
Application Server                     running          17259
Profiler Database                      running          14893
ISE Indexing Engine                    running          18414
AD Connector                           running          10342
M&T Session Database                   running          13823
M&T Log Collector                      running          17572
M&T Log Processor                      running          17438
Certificate Authority Service          running          3113
EST Service                            running          9767
SXP Engine Service                     disabled
TC-NAC Docker Service                  disabled
TC-NAC MongoDB Container               disabled
TC-NAC RabbitMQ Container              disabled
TC-NAC Core Engine Container           disabled
VA Database                            disabled
VA Service                             disabled
pxGrid Infrastructure Service          disabled
pxGrid Publisher Subscriber Service    disabled
pxGrid Connection Manager              disabled
pxGrid Controller                      disabled
PassiveID Service                      disabled
DHCP Server (dhcpd)                    disabled
DNS Server (named)                     disabled

Still hanging on "Sync in Progress"

Looks like the Application server is running correctly on the secondary. Last thing I would check is certificates on both nodes to see if trust can be maintained. From all this, it looks more like a bug. You may want to open a TAC case for them to investigate this further.

Well, I fixed it.

Dont know if this was the cause or not, but I has a static DNS entry on the secondary node, as I didnt have DNS working at the time, removed this and restarted ise application,

they are now in Sync (I also rolled back Patch 3)

Thanks for looking at it with me.

I am having the same issue. After I started the syncup process.

The status of all secondary nodes remained "in progress" for a very long time. Eventually, they will turn to "Not in Sync".

For the ISE nodes that are not online, they used to show as "Disconnected" with a red cross. Now they just simply show as "Not in Sync".

I rolled back the patch, it still wouldnt Sync, For me , it was a static DNS entry on the secondary I believe, I managed to get them into Sync and upgraded to 2.2

Do you mean the ip name-server entry on your ISE node?

At the moment, all my ISE nodes have the same name server settings as following.

ip name-server DNS1 (IP address) DNS2 (IP address)

Currently, DNS1 is offline and DNS2 is online.

I had the same thing happen in my ISE 1.4 (two-node deployment). My secondary ISE node stayed in "Not in Sync". I opened a case with Cisco and this is what I had to do to cure it.

1. Make sure both ISE servers are handling policy service. Do not proceed until you are sure both ISE servers are providing policy service. If they are not both handling policy you will need to open a maintenance window with your organization.

2. From the CLI.

a. stop the ISE application. "app stop ise."

b. reload the application. "reload." My primary ISE server required 35 minutes to reload. Yours may take longer or shorter.

3. When the Primary has come back up make sure it is handling policy services. When you have verified it is then...

a. Go to Administration > Deployment.

b. Deregister the secondary ISE server. Mine took about 5 minutes to complete.

c. Then Register the secondary ISE node again. You will need the FQDN of the secondary ISE server and login credentials for it. The Register process took about 40 minutes for my deployment. You can monitor the process from the CLI of the secondary node with the command "show app status ISE".

d. Check your "External Identity Sources" after this process. I had to re-connect my secondary node to Active Directory.

Again, my deployment is ISE 1.4, but my problem was exactly what you are describing.