Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
2
Helpful
4
Replies

ISE Deployment patching

Go to solution
N3om
Level 1
Level 1

‎08-28-2025 05:53 AM

Hi

Six node distributed ISE Deployment

Whats the recommended order to patch fronm cli please.??

1.PRI-PAN which is also SEC MNT

2.SEC-PAN which is also PRI MNT

3.PSNs

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-28-2025 02:32 PM

Always Primary PAN first. Then the next PAN, PSNs last. I can't remember seeing a documented technical reason why this order is good/necessary. I think it's possibly just common sense because the primary database is on the Primary Admin node and since it's in charge of writing to the database, it gets patched first.  The operational benefit of doing PAN first, is that you "take the hit" of taking down the admin GUI first, and then you can monitor the rest of the patching process from the GUI.

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎08-28-2025 02:32 PM

Always Primary PAN first. Then the next PAN, PSNs last. I can't remember seeing a documented technical reason why this order is good/necessary. I think it's possibly just common sense because the primary database is on the Primary Admin node and since it's in charge of writing to the database, it gets patched first.  The operational benefit of doing PAN first, is that you "take the hit" of taking down the admin GUI first, and then you can monitor the rest of the patching process from the GUI.

Go to solution
adamscottmaster2013
Level 4
Level 4
In response to Arne Bier

‎08-30-2025 03:19 AM

@Arne Bier wrote:

Always Primary PAN first. Then the next PAN, PSNs last. I can't remember seeing a documented technical reason why this order is good/necessary. I think it's possibly just common sense because the primary database is on the Primary Admin node and since it's in charge of writing to the database, it gets patched first.  The operational benefit of doing PAN first, is that you "take the hit" of taking down the admin GUI first, and then you can monitor the rest of the patching process from the GUI.

Hi @Arne Bier:  The poster asked about patching via the CLI.  I just did one recently, and according to Cisco TAC, it should be in this order:

1- PAN

2- PSNs

3- SAN

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to adamscottmaster2013

‎08-30-2025 04:30 AM

At least we agree on PPAN first. I think the order I described is the same as what ISE developers chose when you patch via the GUI. I think that TAC has a more efficient method because you can test the patch on PSN a bit sooner. But apart from that it’s horses for courses.
0 Helpful
Customers Also Viewed These Support Documents