11-15-2017 03:14 PM
Hi Champs!
A quick question: We are running ISE 1.3 and would like to upgrade.
Is there any stable version we could upgrade to?
I see we can directly update from 1.3 to 2.1, but not to 2.2.
Is it a good idea to update to 2.1?
We are running ISE in distributed environment with multiple nodes.
Thanks.
Solved! Go to Solution.
12-12-2017 05:10 PM
Hi Champs!
What order should we apply the patch if we are using CLI?
Would there be any downtime when applying the patch individually on each node?
12-12-2017 05:17 PM
Primary PAN first. Then, the rest can be in any order.
Yes, there would be downtime but you would have the control over which ISE nodes down when doing it via CLI. ISE patching usually will restart ISE services and some patches will reboot the O/S.
12-12-2017 05:20 PM
Thanks hslai,
When we do the Primary PAN first, wouldn't there be a patch mismatch between Primary PAN and all other nodes?
Would this cause any issues?
12-12-2017 05:28 PM
During patching, it's fine that not all ISE nodes in the same patch level as that is expected.
12-12-2017 05:20 PM
Please check the admin guide on this process, it’s all explained
12-12-2017 05:32 PM
The guide says:
When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment. Secondary Cisco ISE nodes are restarted consecutively after the patch is installed on those nodes. While installing a patch on secondary nodes, you can continue to perform tasks on the Primary PAN.
whichh I believe is true when we use GUI. I'd be using CLI to apply patch on individual nodes.
Any thoughts?
12-12-2017 05:37 PM
Correct. The info is on using the ISE admin web UI to apply the patches.
When using CLI, the ISE admin has the control which one ISE node got applied first and when to start patching on any of the ISE nodes.
12-12-2017 05:35 PM
We have 2 PSNs running.
1. We update patch on Primary PAN.
2. Update patch on 1st PSN.
At this point of time Primary PAN has latest patch and 2nd PSN is on older patch. Would 2nd PSN still be working and authenticating the clients while 1st PSN patch update is in progress?
12-12-2017 05:41 PM
Yes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide