I'm in the same situation as @Torbjørn - I patch my lab to see the outcome but I have not been testing a lot lately. Seems ok, apart from the lack of ansible support in ISE 3.4 - but that's an issue for people who use ansible to manage their ISE environments - I hope I am wrong, but it seems Cisco BU has abandoned the ansible ise collection, and it will be dropped from the next ansible release (v12). Really unfortunate, because I was just starting to make some inroads with this stuff.

It does seem that you're right. There hasn't been any updates to the git repo since January and I found the following PR under ansible community: https://github.com/ansible-community/ansible-build-data/pull/560. That's a real problem... 

@PSM - the value of a tool such as ansible, lies in creation and usage of modules - popularised in the Linux world and then found its way into other parts of IT. Cisco started out with the ise collection and the 445 modules they provide make life easier for someone wanting to automate their ISE deployment - that's the whole point of this, isn't it? . Anyone can run a curl, postman, python REST API call to ISE - I don't feel like using ansible to craft my own API calls to ISE. 

I wasn't trying to say that we should not upgrade to ISE 3.4 because of this ansible saga - I just wished someone from the BU would respond and tell us what's going on.

Applying a patch is not the same as upgrading. You're talking about applying patch 3 on your patch 2 deployment. There will be no node de-registrations. 

I upgraded 3.3p7 to 3.4p3 recently and the upgrade was smooth - but after promoting the SPAN to PPAN, and both PANs were online again, all my nodes were shown as out of sync. I had to manually sync all of them - that's not what I had expected should happen after a promotion. And there is also a CRL download failure since the upgrade, and some object sync failures from time to time - the platform is working well - but I have a TAC case open to investigate the CRL and sync Alarms.

Hi @Arne Bier ,

 about "CRL Download Failure" ... this interests me ...  :  )

you are talking about the "Alarm: CRL Retrieval Failed" with the description "Could not download Certificate Revocation List for certificate with ... " ?

 If the answer is Yes:

• at Administration > System > Settings > Proxy ... are you bypassing the Proxy for the CRL Download ?
• at Operations > Reports > Reports > Audit > Operations Audit > Object Type = CRL ... what is the Event description ?

Best regards !

Hi @Marcelo Morais 

Thanks for the comment - Yes I have been bypassing the CA's FQDN in the ISE Proxy Settings for a long time. The CA's FQDN is still in the ISE Proxy config.

The Event Description is "Failed performing HTTP GET with error: (28) Timeout was reached"

I tried to capture one of these in a tcpdump and I saw no traffic on port 80. 

I think you're onto something - a bug that is causing the CRL download to go via the proxy (hence, why I can't see it in the tcpdump).  I will toggle this and see if I can re-program the settings.

Hi @Arne Bier ,

 yes, I'm having "a hard time" understanding what's causing some CRL Download issues.

Note: I have the same issue when capturing a tcpdump.