Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3450
Views
21
Helpful
6
Replies

ISE 2.4 patch upgrade sequence through CLI

Go to solution
Nikhil Jadhav
Level 1
Level 1

‎11-14-2019 08:12 AM

Hello all,

 

We have a scenario where we have to upgrade from ISE 2.4 Patch 6 to Patch 9 in a distributed deployment

We have 

one Primary admin node,

one secondary admin,

one primary monitoring node, one secondary monitoring node,

and 8 PSN's. 

 

What would be the recommended sequence if we try to upgrade all the patch through CLI?

 

 

Thanks,

Nikhil

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-14-2019 09:12 AM

I for one am all for patching through the CLI vs the GUI. You have full control over the process, get to pick the order of the nodes, and can pause at any time for something like testing, and you can do multiple nodes in parallel. You're not at the mercy of an automated script running through a list until completion.

Apply the patch to the primary PAN first, then continue with the nodes in the order you like after that. I do not suggest delaying patching the entire deployment for a long time. Ex. Don't start patching, then leave the deployment on a mix of patch 6 and patch 10 over the weekend, I had a customer who had a runaway CPU problem on the unpatched nodes that may have been caused by this. So plan to start, test, and finish in the same day, or roll back if you run in to any issue.

I agree with Anurag, you should be looking at patch 10 and not patch 9. Patch 10 has been out for a couple months, so there is no risk of it being pulled/deferred at this point. Patch 10 includes all bug fixes found in patch 7, 8 and 9.

You can use two commands, one to install, and one to remove if need be.
patch install <patch name> <repository name storing patch file>
patch remove ise 10 (this will remove patch 10 if you have to roll back)

View solution in original post

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to Nikhil Jadhav

‎11-14-2019 11:12 AM

Nikhil,
Yes, update the PAN and PSN. Test the auth and then apply to the rest of the nodes.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎11-14-2019 08:27 AM

Hi @Nikhil Jadhav ,

 

Firstly, why patch 9? Why not patch 10? It would be even better and more stable.

There is no such "path" you have to take for patching ISE. I am curious to know why you aren't doing the patch from the GUI.

You can start from the PAN, SAN, MnT nodes and PSNs. However, if you wish to do testing at certain points, you should update PAN, 1-2 PSNs, then test the authentication and Admin node things like backup, configuration, etc. Once you feel confident, you can apply the patch to the rest of the nodes.

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Go to solution
Nikhil Jadhav
Level 1
Level 1
In response to Anurag Sharma

‎11-14-2019 08:58 AM

Hello Anurag,

 

Thank you for responding. 

I appreciate your advice but this environment is also going to be used for SDA and ISE 2.4 Patch 10 is not yet validated by SDA BU that's why we are going with patch 9. Since I need to test authentication in between so I am thinking to proceed with the CLI approach. So just to confirm I will be upgrading Primary PAN first and then one of the PSN, test the authentication and if received expected result then upgrade the rest ISE nodes. 

 

Waiting for your confirmation.

 

Nikhil

0 Helpful

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to Nikhil Jadhav

‎11-14-2019 11:12 AM

Nikhil,
Yes, update the PAN and PSN. Test the auth and then apply to the rest of the nodes.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-14-2019 09:12 AM

I for one am all for patching through the CLI vs the GUI. You have full control over the process, get to pick the order of the nodes, and can pause at any time for something like testing, and you can do multiple nodes in parallel. You're not at the mercy of an automated script running through a list until completion.

Apply the patch to the primary PAN first, then continue with the nodes in the order you like after that. I do not suggest delaying patching the entire deployment for a long time. Ex. Don't start patching, then leave the deployment on a mix of patch 6 and patch 10 over the weekend, I had a customer who had a runaway CPU problem on the unpatched nodes that may have been caused by this. So plan to start, test, and finish in the same day, or roll back if you run in to any issue.

I agree with Anurag, you should be looking at patch 10 and not patch 9. Patch 10 has been out for a couple months, so there is no risk of it being pulled/deferred at this point. Patch 10 includes all bug fixes found in patch 7, 8 and 9.

You can use two commands, one to install, and one to remove if need be.
patch install <patch name> <repository name storing patch file>
patch remove ise 10 (this will remove patch 10 if you have to roll back)

Go to solution
KirtiArora05862
Level 1
Level 1
In response to Damien Miller

‎07-13-2023 06:35 AM

Hi All, 

I have a similar deployment of 16 nodes( 2 Admin, 2 MNT and 12 PSNs). I am doing patch upgrade of ISE3.1p5 to p6 via CLI so that we can control the order. Just have a query if we need to de-register the node from deployment before proceeding with patch install.

If we dont de-register and directly perform patch install, will the node with patch6 be able to join back the remaining deployment still running on patch 5?

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to KirtiArora05862

‎07-13-2023 07:05 AM

Resurrecting a 2-year old + thread that has an accepted solution limits the number of people that will take a look at it. The best thing to do is to start a new thread.

No, you don't need to De-Register nodes to install a patch.

Customers Also Viewed These Support Documents
Top