Solved: Re: ISE 2.1 Patch Installation In Distributed Deployment

N3t W0rK3r · ‎11-21-2017

Hello,

I am looking to update my ISE 2.1 installation from patch 2 to patch 6.

Can someone please point me to documentation that outlines the correct procedure for accomplishing this in a distributed deployment scenario? We have 2 admin/monitoring nodes and 2 policy nodes.

Can this be done without impacting service??

Thanks in advance.

John

agrissimanis · ‎11-21-2017

Hi John,

Have a look at the admin guide. The patch installation is performed centrally from the PAN. When you upload the patch, it will first be applied to the primary PAN, then secondary PAN and then the policy nodes. Each node will reboot automatically as part of the process. You can't control the order of the patch installation from the GUI. If you perform the installation from the cli, you can then control the order.

Generally you can perform patch installation without interruption to the service, if your NADs are configured to point to both policy nodes, but that depends on what services you are using in your network.

While the installation is in progress on the primary PAN, it will not be accessible, so you won't be able to administer your deployment. When primary PAN comes back online you can continue to manage your deployment, the patch installation on the remaining nodes happens in the background.

Regards,

Agris

View solution in original post

agrissimanis · ‎11-21-2017

Hi John,

Have a look at the admin guide. The patch installation is performed centrally from the PAN. When you upload the patch, it will first be applied to the primary PAN, then secondary PAN and then the policy nodes. Each node will reboot automatically as part of the process. You can't control the order of the patch installation from the GUI. If you perform the installation from the cli, you can then control the order.

Generally you can perform patch installation without interruption to the service, if your NADs are configured to point to both policy nodes, but that depends on what services you are using in your network.

While the installation is in progress on the primary PAN, it will not be accessible, so you won't be able to administer your deployment. When primary PAN comes back online you can continue to manage your deployment, the patch installation on the remaining nodes happens in the background.

Regards,

Agris

N3t W0rK3r · ‎11-21-2017

Thank you so much Agris.

I was looking at the release notes for instructions but couldn't locate any. I guess I would have eventually looked at the admin guide. :) Thanks for steering me in the right direction and saving me some time and frustration!

Cheers,

John

agrissimanis · ‎11-21-2017

No worries, I found that patch 5 resolved a lot of issues with disk space, high CPU and memory usage, etc. Highly recommended :)

pielunswe · ‎12-12-2017

Hi!

If you are patching from CLI the patch won't be applied on any other nod than the one you are logged in to. But my question is: when the pathed nod comes up after ISE application restart, there is a mismatch on versions in the deployment. Is this an issue for the the PAN node (eg can it hold the deployment together?)

You just apply the patches on the other nodes after that, and deployment is fine after that?

The version I'm working with is 2.3..... I remember this was some kind of issue in 1.2... but is it still in 2.3?

ajc · ‎12-13-2017

If you apply the patch update from GUI. It is applied sequentially in all the deployment. The deployment is not broken even though at some point you will have Primary PAN/MNT running a different patch to the PSN's. We have done this twice on ISE 2.2 (when patch 2 and 4 was installed on different dates).

However, a brief outage is expected because the corresponding PSN would restart the application services and if you are NOT using a Load Balancing solution, then an outage would happen for all the SSID's in the WLC pointing to that specific PSN/AAA device being updated.