Solved: Re: Patch difference in deployment mode - Cisco ISE

JoseAlanis07669 · ‎12-20-2021

Hello!
Does anyone know what Cisco's recommendations are about having different patches on my deployment.

My deployment has patch 3 of version 2.x but I am looking to upgrade only one node to patch 6 by CLI.

Will there be any compatibility issues between the rest of the nodes with patch 3 and the node with patch 6?

Thanks and have a nice day!

Damien Miller · ‎12-20-2021

I've run in to some odd issues when I had a customer stop patching a deployment overnight. I would try to get all nodes on the same patch as quickly as possible starting with the primary admin node.

The CLI won't prevent you from doing a single node, but no one will recommend leaving it in this state or applying it to any node but the PAN first. In a distributed deployment I will usually patch a PSN second after the PAN to test/validate/pause. Then once confirmed things are still working with that node we finish up the patching work.

View solution in original post

Rob Ingram · ‎12-20-2021

@JoseAlanis07669 no, you should run the same patch version across all nodes in your ISE cluster. I doubt Cisco even supports running different patches on the ISE nodes.

Damien Miller · ‎12-20-2021

I've run in to some odd issues when I had a customer stop patching a deployment overnight. I would try to get all nodes on the same patch as quickly as possible starting with the primary admin node.

The CLI won't prevent you from doing a single node, but no one will recommend leaving it in this state or applying it to any node but the PAN first. In a distributed deployment I will usually patch a PSN second after the PAN to test/validate/pause. Then once confirmed things are still working with that node we finish up the patching work.