ISE v3.4 Patch 1 - Exercise caution - Page 2

dal · ‎12-28-2024

Take a backup before you do an upgrade to the new Patch 1 for ISE v3.4

My installation did not start up afterwards.

I even did a fresh install of v3.4 and applied the patch.. and the installation did not start even then.

I also tried to roll back the patch, and that failed too

Cannot see anything sticking out in the logs, but then again; searching the ISE logs are not easy

Marcelo Morais · ‎01-27-2025

Hi @Pawel Przybyszewski ,

interesting ...

You increased the RAM from 32 GB to 64 GB, so your ISE Profile was a SNS 3615 and now is a SNS 3595, correct ?

In Operations > Reports > Reports > Endpoints and Users > Authentication Summary > please take a look at Authentication by Day and Quick Link, what is you "Total Number of Authentications" (Pass & Fail) in a day ?

Regards.

Pawel Przybyszewski · ‎01-28-2025

Endpoints - Pass 2748 Fail 23; device admin 300 Fail 0 - it's small deployment in HA (2 ISE VM in different localization).

At this moment 16CPU/64GB RAM/600GB HDD VM on ESXi - additional 32GB probably doesn't matter because small instance should use 32, medium 96. 64GB is unsupported (EoL) SNS 3595.

Marcelo Morais · ‎01-28-2025

Hi @Pawel Przybyszewski ,

thanks ...

I asked about the Total Number of Authentications per Day, because even a Small Deployment can generate many Authentications per Day ... it's not your case (only 3K Authentication per Day)

Your Hardware was compatible with a SNS 3615 (16vCPU & 32GB RAM) but you need to add more RAM (32 GB more) to everything goes fine ... interesting ...

Since you have 2x Nodes, can you test both Nodes as Standalone ? I'm wondering if the Replications of a Distributed Node has any impact on your Deployment.

Note: please take a look at ISE - Slow Replication, maybe you can find useful info.

Regards

Pawel Przybyszewski · ‎01-28-2025

It was strange because in Deployment status - no action for replicated. My theory is compacting database after upgrade or similar case caused timeouts for RADIUS (TACACS worked fine). We were tunnned RADIUS settings (increased reauthentication time) and disabling ISE Messaging Settings according to best practise. Our instances had many upgrades form 2.4->2.6->2.7->3.1->3.4 and many patches. I saw this link and also used it, the same best practise for ISE and RADIUS.

I can't answer what helped.

People authenticated in one instance got "5440 endpoint abandoned EAP session and started new" error during reauthentication in other instance (original instance during reauthentication returned timeout). Problem occured not for all users, every day was less errors.

Adding RAM fixed the low performance HDD warning (low speed during backups other VMs) but I don't know why

Scott Fella · ‎01-25-2025

Interesting, because I patched my v3.4 to patch 1 and didn't run into any issues. I'm going to spin up a new VM and test it again.

wa-red-ise-01/admin#show version history
---------------------------------------------
Install Date: Sun Nov 24 16:40:23 UTC 2024
Application: ise
Version: 3.4.0.608
Install type: Application Install
Bundle filename: ise.tar.gz
Repository: SystemDefaultPkgRepos

---------------------------------------------
Install Date: Tue Dec 24 04:06:19 UTC 2024
Application: ise
Version: 1
Install type: Patch Install
Bundle filename: ise-patchbundle-3.4.0.608-Patch1-24121602.SPA.x86_64.tar.gz
Repository: tmplocalpatchinstallrepo

**** Update ****

Well I spun up a new ISE v3.4 and patched it with no issues.

(view in My Videos)

-Scott
*** Please rate helpful posts ***

Pawel Przybyszewski · ‎01-28-2025

It seems you tested on empty application (no authentications in Dashboard).

TAC found bug in Patch 1 with database credentials in existing HA deployment. Issue is under investigation.

C Paul · ‎02-10-2025

I believe this is now logged as a bug under reference if this helps as we have had the same experience several times with existing builds and fresh new installs.
CSCwn95769 ISE 3.4 won't start services after PATCH 1 installation