cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1710
Views
30
Helpful
7
Replies

log4j hotfix CSCwa47133 - ISE distributed environment

Hello guys,

In a distributed environment is there a specific order in which the hot fix needs to be done? I'm having an 11 node setup, with 2 PAN. I assume the patch should start with the primary PAN, secondary PAN and then all the other PSN nodes. Is this correct?

Have someone already did it?

Thank you!

2 ACCEPTED SOLUTIONS

Accepted Solutions
marce1000
VIP Mentor

 

 - I don't think it really matters , because for this patch , no ise (internal) communications dependencies are involved.

 M.

View solution in original post

Damien Miller
VIP Advisor

I can confirm that the order it is applied in does not matter. You just need to apply the hotfix to each node in the order of your choosing keeping in mind that the services will restart when you run it on that specific node, so most would do it one node at a time. 

View solution in original post

7 REPLIES 7
marce1000
VIP Mentor

 

 - I don't think it really matters , because for this patch , no ise (internal) communications dependencies are involved.

 M.

Damien Miller
VIP Advisor

I can confirm that the order it is applied in does not matter. You just need to apply the hotfix to each node in the order of your choosing keeping in mind that the services will restart when you run it on that specific node, so most would do it one node at a time. 

@Damien Miller 

 

Do you know what the recommendations are with the log4j hotfix if you have PAN failover enabled? Should this be disabled before applying the hotfix or does it not matter?

I would disable it before applying this hotfix, you don't want to take the extended outage for both PANs switching around on you while you're doing this work.

Thank you! Really helpful.

Yesterday evening I patched our 11 virtual nodes environment. Started with the far PSNs and ending with the 2 PAN nodes, for which I did manual failover - PA PM and upgrade the SA SM.

Downtime per application restart ~ 10 minutes.


Merry Christmas and a Happy new Year!
Vali Puiu

Could you please provide a link to guide which explains the procedure step by step?. I am doing it for very first time and we have total 6 PSN nodes and 2 PAN nodes in HA mode. 

Everything what you need to do is specified in the release notes of the patch. See description below.

1.copy the patch to a repository which is reachable from ISE

2.connect CLI to each node, copy the patch from repo and update the application

It doesn't matter the order, the cluster will not brake as this is a hotfix. The downtime is around 10-15 minutes per node. Do them 1 by 1.

"

=================================================
README for installing Hot Patch to fix CSCwa47133 
=================================================

This hot patch is to address CSCwa47133 (related to Apache Log4j2)

Download the following files from CCO.
                                                               
ise-apply-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz 
ise-rollback-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz


Confirm that the hash of the downloaded files matches the ones listed on CCO.
Copy the files to repository which is reachable from ISE.
Configure the repository in ISE to start the installation process.

===================
Few important notes
===================

This hot patch is only for Patch 1 of ISE 3.1 release.

This needs to be installed on every ISE node in a deployment.

===============
How to install 
===============

Login to ISE CLI
Invoke the following command to install the bundle which will apply the hot patch:

"application install ise-apply-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz <REPOSITORY_NAME>" 

=======================================================
How to Verify whether patch has installed successfully
=======================================================

Login to ISE CLI
Execute the command "show logging application hotpatch.log"
It should show that 'CSCwa47133_3.1.0.518_patch1' is installed, this will confirm that the hot patch was successfully installed.

===============
How to Rollback 
===============

(Note: This is only required if you need to remove the hot patch)

Login to ISE CLI
Invoke the following command to rollback the hot patch:

"application install ise-rollback-CSCwa47133_3.1.0.518_patch1-SPA.tar.gz  <REPOSITORY_NAME>""


  

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube