Solved: ISE 2.4 patch 5, 3 or 0 - What's best?

james.brunner · ‎02-05-2019

Hi all,

We've recently upgraded our ISE 2.3 global installation to 2.4 patch 0 and then patched up to patch 5 to fix a number of bugs that we ran into. However, this proved to be more trouble in that our PSNs randomly increased their processor usage until they ran flat out, memory usage crept up to maximum and authentication latency went through the roof. They finally restarted their processes without any interaction and the cycle began again. We have 8 PSNs globally and this affected 6 of them, not at the same time.

We rolled back to patch 0 and all returned to normal (no chance to get TAC on the case as users were starting to notice). We're quite happy with 2.4 patch 0 but have the CSCvk10674 issue so either we run the gauntlet of trying patch 5 again or going as far as patch 3 (for some reason patch 4 is no longer on the Cisco download for 2.4) and living with the bug. We run ISE for 802.1x NAC, MAB profiling and VPN Posture compliance.

What patch levels are the install base using for 2.4 at the moment and would you recommend patch 3 or 5?

Thanks in advance.

James.

Damien Miller · ‎02-05-2019

My experience with 2.4 p5 on a handful of deployments has been good, certainly no run away CPU. Patch 5 is the suggested patch when running 2.4 due to the known open issues in earlier patches. Doing a quick bug scrub I don't see an issue open on 2.4 that matches the scenario you describe. Since you rolled back, I'm assuming you did not open a TAC case to troubleshoot? They are likely the only course forward in this instance, we won't be able to troubleshoot an issue such as that via forum posts. Probably not what you want to hear.

Patch 4 was eventually deferred due to the severity of and AD issue documented in CSCvm93698. It worked fine for some, but depending on the AD structure it could be a show stopper.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm93698

View solution in original post

Arne Bier · ‎02-05-2019

I have also had no runaway CPU issues with patch 5.

Now, imagine how insightful it would be to have access to the Linux CLI when this happens? You could run a ps command or top command to see what is killing your CPU.

Having said that, the top command is available via ISE CLI ...

tech top

But then you might see some Java processes hogging the CPU. At that point you need the TAC anyway.

View solution in original post

Damien Miller · ‎02-05-2019

My experience with 2.4 p5 on a handful of deployments has been good, certainly no run away CPU. Patch 5 is the suggested patch when running 2.4 due to the known open issues in earlier patches. Doing a quick bug scrub I don't see an issue open on 2.4 that matches the scenario you describe. Since you rolled back, I'm assuming you did not open a TAC case to troubleshoot? They are likely the only course forward in this instance, we won't be able to troubleshoot an issue such as that via forum posts. Probably not what you want to hear.

Patch 4 was eventually deferred due to the severity of and AD issue documented in CSCvm93698. It worked fine for some, but depending on the AD structure it could be a show stopper.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm93698

james.brunner · ‎02-05-2019

Thanks Damien.

We will give p5 another whirl after fresh reboots of all the nodes. It maybe that the PSNs that had issues were our original 2.1 nodes that went to 2.2 then 2.3 and now 2.4 - might have picked up some trashed tables or indexes along the way that cause the run away. (I would have expected the 2.4 upgrade to have fix/found any issues when it did the schema migrations but things always slip through the net).

Thanks again.

JB.

Arne Bier · ‎02-05-2019

I have also had no runaway CPU issues with patch 5.

Now, imagine how insightful it would be to have access to the Linux CLI when this happens? You could run a ps command or top command to see what is killing your CPU.

Having said that, the top command is available via ISE CLI ...

tech top

But then you might see some Java processes hogging the CPU. At that point you need the TAC anyway.

Damien Miller · ‎02-05-2019

Don't be ridiculous, we can't be trusted with root access.