patch ISE server from 3.3 patch-4 to patch-6 via CLI

adamscottmaster2013 · ‎07-14-2025

I do not have a test environment to test so I am asking here. I have a five nodes cluster environment 3.3 patch-4 and I need to get them to patch-6, in a safe way. My environment:

node1: Primary Admin, Secondary MnT

node2: Secondary Admin, Primary MnT

node3: PSN

node4: PSN

node5: PSN

My plan is to patch these ISE servers through the CLI, in this order:

A- patch node2 (Secondary Admin, Primary MnT) first,

B- patch node3 (PSN) after that,

C- wait for one week to confirm that everything is still working,

D- patch node4 (PSN) and node5 (PSN),

E- patch node1 (Primary Admin, Secondary MnT)

I just don't want to patch all the systems and if they have issues, have to roll everything back, which might involve downtime. I talked to Cisco TAC in the past, and I think they told me this method would be ok too, but I can't recall.

Anyone seeing issues with this?

TIA

Torbjørn · ‎07-14-2025

It is pretty unorthodox to do it this way, but it should work fine. Ideally you would upgrade your deployment in one go - ISE patching is pretty safe. It is very rare for it to cause issues in my experience.

I would also alter the procedure somewhat if you go down this route.

Upgrade both PAN nodes, these won't cause network downtime for authentication and this is where I would guess any patch-version differences to cause issues if any should occur.
Upgrade 1 PSN, wait and verify.
Upgrade the remaining PSN nodes.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

adamscottmaster2013 · ‎07-14-2025

Thank you @Torbjørn. I would rather avoid upgrading both PAN nodes at the same time, because if things don't work and I have to rollback, nobody can log into ISE and make configuration changes. I've done enough ISE patching upgrades to know that it works well 95% of the time but I was part of the 5% that had issues. Better safe than sorry, but your point is well taken.