cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1025
Views
0
Helpful
4
Replies

ISE patch while upgrading

matthen
Cisco Employee
Cisco Employee

Is there a way to apply a patch while you're upgrading an ISE environment?  My use case is, if a customer is upgrading from ISE 2.2 to 2.4, they start with their Secondary Admin, Primary Monitoring, then they start upgrading their PSNs.  However, during this process the newly upgraded PSNs will be vulnerable to any bugs in the base 2.4 code, and users being migrated to the upgraded PSNs will be exposed to those bugs.  Is there a way to apply a patch to each node as they're being upgraded to avoid unnecessary issues?

 

Thanks,

Matt

1 Accepted Solution

Accepted Solutions

Short answer no. During the upgrade process the databases will be tweaked
by starting with secondary PAN then making it ready to accept PSNs until
primary PAN is upgraded and rejoined the upgraded deployment. If you alter
the database with patches you mightnot be able to recover.

View solution in original post

4 Replies 4

matthen
Cisco Employee
Cisco Employee

I see that you can apply patches prior to registering PSNs to the upgraded deployment per this document: https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934#toc-hId--718381845

 

hslai
Cisco Employee
Cisco Employee

To recap our discussion offline on this, Surendra and Mohammed al Baqari are both correct in case of using the guided upgrade in ISE admin web UI. Whereas ISE Upgrades - Best Practices describes additional options, besides the UI guided upgrade. The other options could be preferable, for sizable ISE deployments, for those ISE Releases unable to upgrade directly to ISE 2.4 or 2.6, or other considerations.

 

Surendra
Cisco Employee
Cisco Employee
Unfortunately, you will not be able to upgrade to rest of the deployment if you do so. The nodes will be upgraded for a brief moment before they fail to join the upgraded deployment and are rolled back. What you can test is though is to apply patches, test the user authentications, see if they are working, roll back the patches and then upgrade the rest of the deployment. This is not a tested path as such but going by the logic, this should work and you will be doing it at your own risk.

Short answer no. During the upgrade process the databases will be tweaked
by starting with secondary PAN then making it ready to accept PSNs until
primary PAN is upgraded and rejoined the upgraded deployment. If you alter
the database with patches you mightnot be able to recover.