Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
2
Helpful
2
Replies

ISE 3.1 PAN on higher patch level than the deployment

franjean74
Level 1
Level 1

‎03-10-2023 05:53 AM

We have a deployment with 7 nodes, 2xAdmin, 2xMnT and 3xPSN and did a CLI patch install from 3.1 patch 3 to patch 5.
We were able to successfully install patch 5 on the PAN first and then the 1 MnT, but ran into multiple problems when we tried to it on
the 1 backup PSN. So were not able to complete the patch install on the rest of the nodes due to the maintenance window that ended.

The deployment is now split between these nodes on patch 5
PAN
MnT
1 Backup PSN

These are still on patch 3
SAN
SMnT
1 Primary PSN for southern region
1 Primary PSN for the northern region

1. What are the possible consequences of the fact that the PAN is now on a different patch level to the
4 other nodes.

2. The guest sponsor portal fqdn DNS was statically configured to use the Primary PSN that is still on patch 3 and was left in operation
throughout, while the PAN is now on patch 5. We saw that the sponsor portal stopped working and when we updated the
DNS to point to the Backup PSN that is on the same patch level as the PAN, the service was restored.


Is this the expected behaviour where if the designated sponsor portal PSN is on a different patch level to the PAN
that the portal stops working?


Have anyone else seen similar behaviour or is able to explain the reason for this?

Any input or guidance would be greatly appreciated.


We will do the patch 5 install on the rest of the nodes as soon as possible, but would like to get a proper understanding of the operation of the portals.

Regards

0 Helpful
2 Replies 2

ahollifield
VIP
VIP

‎03-10-2023 01:51 PM

Unknown, it could be your issue since sponsor portals and registration requires the PSN to be able to communicate to a PAN for db/config changes.  That communication may be broken given the different patch levels.  There should be as little time as possible between the patch installs on the ISE nodes so I would suggest another maintenance window asap to bring all nodes to the same patch level.

Rodrigo Diaz
Cisco Employee
Cisco Employee

‎03-10-2023 06:19 PM

hello @franjean74 , as it has been suggested here please finish up the patch installation in all the remaining nodes in your environment , next verify if you the conditions on your environment matches this bug affecting sponsor portal in ISE 3.1 versions https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa62202 , if it does , kindly apply the workaround described in the bug.

Let me know if that helped. 

Customers Also Viewed These Support Documents