Solved: Re: ISE 2.4 patch upgrade sequence through CLI

Nikhil Jadhav · ‎11-14-2019

Hello all,

We have a scenario where we have to upgrade from ISE 2.4 Patch 6 to Patch 9 in a distributed deployment

We have

one Primary admin node,

one secondary admin,

one primary monitoring node, one secondary monitoring node,

and 8 PSN's.

What would be the recommended sequence if we try to upgrade all the patch through CLI?

Thanks,

Nikhil

Damien Miller · ‎11-14-2019

I for one am all for patching through the CLI vs the GUI. You have full control over the process, get to pick the order of the nodes, and can pause at any time for something like testing, and you can do multiple nodes in parallel. You're not at the mercy of an automated script running through a list until completion.

Apply the patch to the primary PAN first, then continue with the nodes in the order you like after that. I do not suggest delaying patching the entire deployment for a long time. Ex. Don't start patching, then leave the deployment on a mix of patch 6 and patch 10 over the weekend, I had a customer who had a runaway CPU problem on the unpatched nodes that may have been caused by this. So plan to start, test, and finish in the same day, or roll back if you run in to any issue.

I agree with Anurag, you should be looking at patch 10 and not patch 9. Patch 10 has been out for a couple months, so there is no risk of it being pulled/deferred at this point. Patch 10 includes all bug fixes found in patch 7, 8 and 9.

You can use two commands, one to install, and one to remove if need be.
patch install <patch name> <repository name storing patch file>
patch remove ise 10 (this will remove patch 10 if you have to roll back)

View solution in original post

Anurag Sharma · ‎11-14-2019

Nikhil,
Yes, update the PAN and PSN. Test the auth and then apply to the rest of the nodes.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

Anurag Sharma · ‎11-14-2019

Hi @Nikhil Jadhav ,

Firstly, why patch 9? Why not patch 10? It would be even better and more stable.

There is no such "path" you have to take for patching ISE. I am curious to know why you aren't doing the patch from the GUI.

You can start from the PAN, SAN, MnT nodes and PSNs. However, if you wish to do testing at certain points, you should update PAN, 1-2 PSNs, then test the authentication and Admin node things like backup, configuration, etc. Once you feel confident, you can apply the patch to the rest of the nodes.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Nikhil Jadhav · ‎11-14-2019

Hello Anurag,

Thank you for responding.

I appreciate your advice but this environment is also going to be used for SDA and ISE 2.4 Patch 10 is not yet validated by SDA BU that's why we are going with patch 9. Since I need to test authentication in between so I am thinking to proceed with the CLI approach. So just to confirm I will be upgrading Primary PAN first and then one of the PSN, test the authentication and if received expected result then upgrade the rest ISE nodes.

Waiting for your confirmation.

Nikhil

Anurag Sharma · ‎11-14-2019

Nikhil,
Yes, update the PAN and PSN. Test the auth and then apply to the rest of the nodes.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Damien Miller · ‎11-14-2019

I for one am all for patching through the CLI vs the GUI. You have full control over the process, get to pick the order of the nodes, and can pause at any time for something like testing, and you can do multiple nodes in parallel. You're not at the mercy of an automated script running through a list until completion.

Apply the patch to the primary PAN first, then continue with the nodes in the order you like after that. I do not suggest delaying patching the entire deployment for a long time. Ex. Don't start patching, then leave the deployment on a mix of patch 6 and patch 10 over the weekend, I had a customer who had a runaway CPU problem on the unpatched nodes that may have been caused by this. So plan to start, test, and finish in the same day, or roll back if you run in to any issue.

I agree with Anurag, you should be looking at patch 10 and not patch 9. Patch 10 has been out for a couple months, so there is no risk of it being pulled/deferred at this point. Patch 10 includes all bug fixes found in patch 7, 8 and 9.

You can use two commands, one to install, and one to remove if need be.
patch install <patch name> <repository name storing patch file>
patch remove ise 10 (this will remove patch 10 if you have to roll back)

KirtiArora05862 · ‎07-13-2023

Hi All,

I have a similar deployment of 16 nodes( 2 Admin, 2 MNT and 12 PSNs). I am doing patch upgrade of ISE3.1p5 to p6 via CLI so that we can control the order. Just have a query if we need to de-register the node from deployment before proceeding with patch install.

If we dont de-register and directly perform patch install, will the node with patch6 be able to join back the remaining deployment still running on patch 5?

Charlie Moreton · ‎07-13-2023

Resurrecting a 2-year old + thread that has an accepted solution limits the number of people that will take a look at it. The best thing to do is to start a new thread.

No, you don't need to De-Register nodes to install a patch.