ISE 2.6 Patch 4 Deferred/Removed - Page 2

obrien-r · ‎02-27-2020

For any like me that was awaiting some of the fixes in Patch 4 and jumped on and downloaded it, please be aware it has been deferred and removed from CCO due to a bug/problem it introduces. Bug is CSCvt18276

According to my CCO notification, the expected replacement - Patch 5 - is due approx 12 Mar

Anyway, hope that information helps someone...

Leo Laohoo · ‎04-26-2020

Hi Arne,
ISE 2.6, patch 5.

jedubois · ‎04-28-2020

Folks,

This is not an issue with patch 6. The problem here is that endpoints grew to a very large size because of CSCvt18276 which only impacts patch 4. Since these large endpoints still exist in the database after upgrading to patch 6 and we fixed CSCvt18276 in patch 6, we can now read those very large endpoints into cache. This causes the high resource utilization being seen. The workaround for CSCvt18276 needs to be done once in this case. Restoring from a backup taken prior to applying patch 4, or deleting the endpoint database and allowing re-profiling to occur.

Again, this it not a new issue in patch 6, it is left over specifically for deployments that had installed patch 4, and did not rollback to patch 3 and remediate the issue.

alex.duckworth · ‎04-29-2020

The email advice that went out after patch 4 was pulled was poor.

"--- If you have downloaded patch 4 for ISE 2.6, installed it and not facing the issue:

Please install the hotfix immediately to fix the issue caused by bug CSCvt18276."

There was no instructions to know if an endpoint was corrupted, nor any way to identify if there had been any impact.

So with the advice that the hotfix would "fix" the issue, we assumed it was resolved and would not cause a sev1 to when we installed the next patch. The only two options that were actually available to us at the end of the day were to restore from backup (which was not feasible, primarily due to the elapsed time that had occurred since patch 4 was installed and the number of changes that had occurred since) or wipe the endpoint database, which due to it's size (360,000+ endpoints) could not be done from the GUI.

Damien Miller · ‎04-30-2020

A little concerning when the solution was to dump all the endpoints and/or restore a backup. I'm left wondering how many deployments are out there that didn't realize this was/is a problem and still have patch 4+5 installed, or rolled 4 back and installed patch 5 later on, and are now going to install patch 6. Having 89 reported cases on that p4 bug, how many went unreported/unnoticed.

Any way to identify that a deployment could be impacted?

hslai · ‎05-01-2020

First of all, CSCvt18276 affects only those deployments with more than one PSN and more than one PSN enabled for profiling. Secondly, only if ISE 2.6 Patch 4 ever installed, which can be identified by ISE admin CLI:

show version history

Ping Zhou · ‎05-04-2020

I don’t have p4 on my 2.6 deployment. Based on why we know, is it safe to say I can go ahead and install the p6? Just want to be clear, Thanks.

Surendra · ‎05-04-2020

Yes it is

Ping Zhou · ‎05-04-2020

Thanks!

Leo Laohoo · ‎05-04-2020

@Ping Zhou wrote:

is it safe to say I can go ahead and install the p6?

Ping,

Give us two more weeks to make sure nothing funny happens. After all, someone's got to do the regression testing, right?

Ping Zhou · ‎05-04-2020

@Leo Laohoo Hi Laohoo, Thanks a lot!

Leo Laohoo · ‎05-12-2020

It is not yet "2 weeks" but so far so good. This is what we've done:

1. Remove patch 6.

2. Delete end points.

3. Re-apply patch 6.

4. And prayed really, really hard.

Another "quality work" by Cisco.

x00008037 · ‎06-10-2020

Thanks for the info.

We are currently on 2.6 patch 2 and want to go patch 6 but from reading it looks like we should be ok to go ahead with this..

I may give it a few more weeks to keep an eye on anymore issues that may or may not arise with this patch.

Leo Laohoo · ‎06-11-2020

As long as you didn't install Patch 4, you are good to go straight to Patch 6.