Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Rising star

ISE 2.4 P7: Can someone explain why this one enhancement required an urgent patch?

Hi everyone,


Recently patch 7 was released. Here is the only thing updated according to RN:


"This is an enhancement to implement master node APIs for multi-DNAC support in Cisco ISE."


So as of Patch 7 ISE supports multiple DNA-Cs. The bug search tool doesn't show any mention for Patch 7 [ 2.4(0.907) ] at all.


Any reason why this was urgent?

Damien Miller
VIP Advisor

Thanks for the notice, I can't keep up with the patch frequency, nor can customer deployments. Crazy how large the patch file sizes are getting, 2 GB!

I find it suspicious that new functionality (but much needed) would be introduced in 2.4 with a patch. I thought this went against the new features in major releases, bug fixes in patches.

It honestly feels like Windows Update by this point :)

Patch 6 caused the size to go sky high (288 fixes introduced in patch 6).  I guess future ISE 2.4 patches will now always be at least 2GB.  Maybe ISE 2.6 patch is around the corner ... worth a look.


I am still getting these weird issues even in ISE 2.4 patch 6 - I don't have the time to raise a marathon of TAC cases like I used to.  All these random GUI red dialog boxes with obscure error messages that mean nothing. Happens randomly.  When adding Authorization Rules the save function sometimes only works on the second attempt.  Reordering Rules, and then click save doesn't always preserve the Rule in the spot where you placed it.  It's just absurdly badly written code.  Web design is not a new thing.  In contrast, I was using a Meraki dashboard today and you can see how web design is meant to look like - it's responsive and most of all - ROBUST! I feel safe in this GUI, no matter how long you stay in there and click around - and with Meraki there is a LOT of clicking around :-)


But ISE is not alone in the camp of disappointingly unreliable browser experience.  Cisco WLC GUI and Prime are just as badly written - must come from the same steaming pile of Java.  I expect failure every time I spend more than 30 minutes in these things.  Sorry, I went off topic ... :-(

There there, within a few years/decades SDA will automate everything so that you'll never have to touch another GUI ever again :)


But back to this disappointing reality. Have all those bugs you mentioned only appeared as of P6? Were they not around in earlier patches of 2.4?


BTW, if Cisco planned to release an urgent patch after P6, I would have expected it to include a fix for this:


I'm curious where you heard that 288 fixes were included in P6. Using the bug search, combining all 6 patches (1..6) has shown that there have been 331 fixes between all of them. P6 alone has 199 fixes. It's a big number, but not 288.

@Nadav  - you're right - I was exaggerating about the bug fixes - by my count it's 193 in the release notes (193 CSC entries for patch 6).  It's a big number for sure.


The GUI issues have been around since 2.3 and seem to permeate all versions since then. 

Oh, well the fact their web applications are buggy is nothing new.

Compared to ACS (where using an unsupported browser and saving policy changes can lead to a fresh installation) or Prime Collabortion Assurance (where entire submenus are inaccessible), ISE 2.4 has been a refreshing change. And those are considered massive improvements compared to the previous generation of products.

Cisco really needs to get behind a single web engine and maintain it properly for their entire portfolio. Use the old write-once-use-many approach. They have a vast workforce which could possibly make fantastic frontends.

I'm trying to get a few customer deployments to patch 6 and you aren't inspiring confidence. I was hoping it was the "be all end all fix everything we have broken in patch 5" patch.

Patch 6 fixed several key issues for sure.  CoA on reprofile was one of the key lingering issues that has been broken since 2.3.  The also fixed the FQDN lookup in the AD profile that was broken in patch 2 I think of 2.4. Netflow is no longer getting stuck trying to scan unresponsive hosts and causing 1-2 delays for NMAP scans.  Overall patch 6 has been a good one for most of my customers.

Damien Miller
VIP Advisor

I can say after a meeting today that I'm glad this feature came, as odd as an enhancement in a patch is.  I have 14 DNAC clusters at a client that need to integrate with a single ISE instance. 

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube