Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
4
Replies

ISE patch while upgrading

Go to solution
matthen
Cisco Employee
Cisco Employee

‎06-18-2019 10:16 AM - edited ‎06-18-2019 10:17 AM

Is there a way to apply a patch while you're upgrading an ISE environment?  My use case is, if a customer is upgrading from ISE 2.2 to 2.4, they start with their Secondary Admin, Primary Monitoring, then they start upgrading their PSNs.  However, during this process the newly upgraded PSNs will be vulnerable to any bugs in the base 2.4 code, and users being migrated to the upgraded PSNs will be exposed to those bugs.  Is there a way to apply a patch to each node as they're being upgraded to avoid unnecessary issues?

 

Thanks,

Matt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-18-2019 11:01 AM

Short answer no. During the upgrade process the databases will be tweaked
by starting with secondary PAN then making it ready to accept PSNs until
primary PAN is upgraded and rejoined the upgraded deployment. If you alter
the database with patches you mightnot be able to recover.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
matthen
Cisco Employee
Cisco Employee

‎06-18-2019 10:22 AM

I see that you can apply patches prior to registering PSNs to the upgraded deployment per this document: https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934#toc-hId--718381845

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to matthen

‎06-18-2019 06:38 PM

To recap our discussion offline on this, Surendra and Mohammed al Baqari are both correct in case of using the guided upgrade in ISE admin web UI. Whereas ISE Upgrades - Best Practices describes additional options, besides the UI guided upgrade. The other options could be preferable, for sizable ISE deployments, for those ISE Releases unable to upgrade directly to ISE 2.4 or 2.6, or other considerations.

 

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎06-18-2019 10:35 AM

Unfortunately, you will not be able to upgrade to rest of the deployment if you do so. The nodes will be upgraded for a brief moment before they fail to join the upgraded deployment and are rolled back. What you can test is though is to apply patches, test the user authentications, see if they are working, roll back the patches and then upgrade the rest of the deployment. This is not a tested path as such but going by the logic, this should work and you will be doing it at your own risk.
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-18-2019 11:01 AM

Short answer no. During the upgrade process the databases will be tweaked
by starting with secondary PAN then making it ready to accept PSNs until
primary PAN is upgraded and rejoined the upgraded deployment. If you alter
the database with patches you mightnot be able to recover.
0 Helpful
Customers Also Viewed These Support Documents