Solved: ISE patch installation in Distributed Deployment

riferdiy · ‎09-04-2016

Dear Team,

Kindly need info regarding patch installation Cisco ISE in Distributed. I have 2 Administration & Monitoring node (as primary & backup) and 10 PSN node. Based on documentation, we install in primary first and then secondary Admin node.

- When I install in primary Admin, what happen with feature in Cisco ISE ? Is Cisco ISE still work using secondary Admin ?

- Do I need install patch in PSN also ?

Best Regards

Ping Zhou · ‎09-04-2016

For PSN patching, depiendikng on the patch, its services get restarted or the appliance gets rebooted. For each node, depending on the processing power of th appliance and the patch, The estimated time for it is ranging from 10 minutes to 45 minutes or so. We don't know what's exactly a particular patch would do. So planing for the worst. Cisco constantly improves ISE, I would suggest you to open a TAC case and prepare, validate the procedure, then execute it on your production network.

View solution in original post

Ping Zhou · ‎09-04-2016

Start patching on primary PAN. Use CLI to monitor the status. Depending on the patch, you will be logged out or even the primary pan will get rebooted. Once the patching in primary pan is done, you can log back into it and use it to monitor the patching status across the ISE cluster via its web UI. Go to patch management and find the patch, then "show now status". The patching is done via primary PAN, then automagically, gets executed to secondary PAN, then across all PSN. ISE patches on each node in the cluster in alphabetical order. You don't need to do patch on PSN node directly. Reminder: always have a good remote backup of your ISE deployment. Good luck.

During the patching, PSN will be functioning properly until it gets the patching executed. And be aware that which NADs are using which PSNs.

riferdiy · ‎09-04-2016

Hi Alzhou,

Based on your comment, "PSN will be functioning properly" --> will the PSN also restart when patching done ?

How long it will take to install patch to one node ?

Do you have complete guide (documentation) for patching, i try to search but just get overview info, Cisco Identity Services Engine User Guide, Release 1.2 - Administering Cisco ISE [Cisco Identity Services Engine] - Cisc… my Cisco ISE is version 1.2.

Best Regards.

Ping Zhou · ‎09-04-2016

For PSN patching, depiendikng on the patch, its services get restarted or the appliance gets rebooted. For each node, depending on the processing power of th appliance and the patch, The estimated time for it is ranging from 10 minutes to 45 minutes or so. We don't know what's exactly a particular patch would do. So planing for the worst. Cisco constantly improves ISE, I would suggest you to open a TAC case and prepare, validate the procedure, then execute it on your production network.

riferdiy · ‎09-04-2016

how about the backup ? is there any backup plan if the update failed ?

Ping Zhou · ‎09-04-2016

Remember that configuration data are in PANs. So backing up configuration data from primary PAN to a SFTP server is highly recommended for restoring if necessary, let say, when or if PAN crashes; If PSN crashes, you can spin up a ISE node, and join the cluster, and it gets the configuration from PAN. If operation data is important to your deployment, you will also need to back them up via backup and restore menu.

Ping Zhou · ‎09-04-2016

By the way, don't forget export your system certificate and private key for the ISE nodes, in case you need to recover it later.