ISE 2.6 Install and patching

Ketchup57 · ‎10-06-2021

I've gone through the documentation in depth and everything just points to "contact TAC" when it comes down to issues which I get but I like to expand all options before doing that just to help me get a better understanding of ISE as whole.

We have a a full on production and lab configuration matching most of production but we have version 2.6 patch 8,9 installed but when we did patch 10 it "hung up" in a sense and shows installed and I finally got the GUI to load again but now we can't run any backups without it failing no matter what I do (tried everything from the application configure menu to uninstalling the patch) I'm really just curious is anyone has any experience with troubleshooting and digging into finding solutions instead of just doing a full reinstall of the VM.

I know the updates say they are cumulative which should mean just install the latest patch since its a build of the rest of them. But the Install and Upgrade documents are confusing.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/release_notes/b_ise_26_RN.html#ConfigurationInformation24

The document just has the latest information about all versions but this sections states the following.

Patch Compatibility

This patch is compatible with the following patch releases:

2.2 Patch 15
2.3 Patch 7
2.4 Patch 10
2.6 Patch 2

I can only assume it means the latest patch (version 10) is compatible with ISE 2.6 Patch 2 meaning you have to have patch 2 installed....

The only thing that kind of aligns through out the rest is this portion

Upgrading Cisco ISE Consideration

If you upgrade to Cisco ISE 2.6 patch 7, you will see an error message if you were using the RE_AUTHENTICATE in an ANC policy. The existing policies will still work.

Applying Cisco ISE 2.6 patch 2 eliminates the error message. Or you can remove those policies before upgrading.

Can we please make the documentation more direct when it comes to exactly what you need to do? Like a brand new install you need to download and install all patches, or install these patches in order for this to not break anything.

Thanks

Marcelo Morais · ‎10-06-2021

Hi @Ketchup57 ,

although ISE 2.6 Release Notes has the following info:

Patch Compatibility
This patch is compatible with the following patch releases:
2.2 Patch 15
2.3 Patch 7
2.4 Patch 10
2.6 Patch 2

please check ISE 2.7 Release Notes:

Cisco ISE, Release 2.7, has parity with the Cisco ISE patch release:
2.2 Patch 15
2.3 Patch 7
2.4 Patch 10
2.6 Patch 2

Hope this helps !!!

ComputerRick · ‎10-07-2021

First, Marcelo's pasting and quoting of the release notes where it states "parity" is great. These patches are "compatible" in the sense that they include fixes for the same issues. Do not let that confuse it, it's typically not important.

But, all patches for ISE are complete and are not dependent on any previous patches. So you can install 2.7 and apply patch 4, the same as with 2.4 and patch 10.

Patches can also be applied or removed from the CLI, which tends to run faster and allows for better visibility for the admin. Using the GUI, the admin node needs to push out and monitor, and it takes about 2-3 times as long, but requires little monitoring from a person. The CLI method is a little more admin intensive, requires the admin to execute on each node when the previous has completed, and has a higher success rate, imo.

The command from the CLI is "patch install". See this link for more details about patches and patching, it's specific and much more clear: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/upgrade_guide/Upgrade_Journey/HTML/b_upgrade_install_patch_2_7.html.

HTH, please mark solutions.