Solved: ISE 2.6.0.156 Patch 8 Install

Srinivasan Nagarajan · ‎12-12-2020

Hi Experts,

We're running ISE 2.6 (VM)with patch 3, 7 installed and would like to upgrade it to patch 8 via CLI as recommended by the TAC to fix the SWAP memory issue.

We've a medium distributed deployment of 6nodes as follows: Primary Admin/Secondary Monitoring , Secondary Admin/Primary Monitoring, followed by the 4 PSN's (2 for wired/Wi-Fi and 2 for VPN).

1. Can you please assist the ISE node order to be followed in installing the patch to minimize the outage?

2. I've gone through the Internet resources which says, the upgrade won't work if the expired certs are in place. Is it applicable for patch installation also ?

3. At some point if we'd like to stop the patch install for any specific node, should we need to rollback for other ISE nodes or ISE nodes can interoperate each other with the different patch?

Please assist.

Cheers,

Damien Miller · ‎12-12-2020

Just to keep clarity, your deployment model is referred to as a hybrid deployment since the PAN/MNTs share the same servers. On question 1 and 3, because you would like to stop mid patching, you must do this from the CLI and not us the GUI maintenance patch install option. The GUI provides no option to control the patching process once it has been started.
In order to install the patch from the CLI, you will issue the command "patch install <patch 8 file name> <repo name>. You have to do this for each node, and when you want to start the patch process. If you need to roll the patch back you can use "patch remove ise 8" to uninstall the newly installed patch.

You will install the patch on the primary admin node first, wait for it to finish. After that you can follow any order you wish but I would typically upgrade a PSN next, pause to test, then continue on. The order you perform patching in after the primary admin node is really up to you.

In regards to question 2, expired certs will certainly cause the upgrade to fail, but you are not upgrading, you are just patching. Patching will succeed with expired certs but it would still be wise to correct them either way.

View solution in original post

Damien Miller · ‎12-12-2020

Just to keep clarity, your deployment model is referred to as a hybrid deployment since the PAN/MNTs share the same servers. On question 1 and 3, because you would like to stop mid patching, you must do this from the CLI and not us the GUI maintenance patch install option. The GUI provides no option to control the patching process once it has been started.
In order to install the patch from the CLI, you will issue the command "patch install <patch 8 file name> <repo name>. You have to do this for each node, and when you want to start the patch process. If you need to roll the patch back you can use "patch remove ise 8" to uninstall the newly installed patch.

You will install the patch on the primary admin node first, wait for it to finish. After that you can follow any order you wish but I would typically upgrade a PSN next, pause to test, then continue on. The order you perform patching in after the primary admin node is really up to you.

In regards to question 2, expired certs will certainly cause the upgrade to fail, but you are not upgrading, you are just patching. Patching will succeed with expired certs but it would still be wise to correct them either way.

Srinivasan Nagarajan · ‎12-14-2020

Thanks Damien for the reply.

For some reason, if we need to stop the patching, Is it possible to run ISE nodes with the different patch versions?

And, what would be impact of running it?

Damien Miller · ‎12-14-2020

You can, but I would not recommend leaving them on different patch levels past the initial day you began patching. I would make the decision to either proceed with patching the remaining nodes, or rolling back and uninstalling the patch. Running mixed patches has the risk of running in to new bugs of unknown severity, it's largely untested since patching is expected to be somewhat continuous and most either finish or roll back.