cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1924
Views
1
Helpful
5
Replies

Patching ISE Cluster without disruption

Joe65
Level 1
Level 1

Hello everybody, 

Just a question about the patching for an ISE cluster 2 nodes (Active/Standby).

Is it possible to patch the cluster (with reboot) without network outage ? 

Regards.

3 Accepted Solutions

Accepted Solutions

When you upgrade ISE you will always start with the secondary PAN, once that is upgrade it will become the primary PAN, and then the upgrade will carry on upgrading the old primary PAN. This whole process will cause a brief disruption only for the new sessions that will be sent to the second PSN at the time its services are being restarted, however, it won't affect the sessions that have been already authenticated/authorized. One thing you could do if feasible would be to remove the the second PSN from the RADIUS servers list on the network devices, and then put it back on the top once the upgrade is completed on that node. And then remove the other PSN until the upgrade is finished and put back on the list.

View solution in original post

Dustin Anderson
VIP Alumni
VIP Alumni

We have a 2 unit node like you describe and we really don't see disruption. You may see some auth latency as a device may need to see it down before it uses the second one. We still patch in weekend maintenance windows for safety, but I have not see auth go down.

For a patch, we see the primary patch and reboot first, once up we see the secondary node patch and reboot. what we do see is since our secondary is primary MNT, we loose live logs while it's down.

View solution in original post

Tariq Mahmoud
Level 1
Level 1

If you patch from CLI, you will have more control over which node to be patched first. You can start wit the CLI of the Secondary and patch it and then it will reboot.
Once the Secondary is up and running after the reboot, you can start with the Primary ISE node from the CLI. 

There should be no outage, unless if any of the NADs (wireless/switches) is configured only with a single ISE server instead of both ISE servers. 

View solution in original post

5 Replies 5

When you upgrade ISE you will always start with the secondary PAN, once that is upgrade it will become the primary PAN, and then the upgrade will carry on upgrading the old primary PAN. This whole process will cause a brief disruption only for the new sessions that will be sent to the second PSN at the time its services are being restarted, however, it won't affect the sessions that have been already authenticated/authorized. One thing you could do if feasible would be to remove the the second PSN from the RADIUS servers list on the network devices, and then put it back on the top once the upgrade is completed on that node. And then remove the other PSN until the upgrade is finished and put back on the list.

Thank you for your reply. 

Dustin Anderson
VIP Alumni
VIP Alumni

We have a 2 unit node like you describe and we really don't see disruption. You may see some auth latency as a device may need to see it down before it uses the second one. We still patch in weekend maintenance windows for safety, but I have not see auth go down.

For a patch, we see the primary patch and reboot first, once up we see the secondary node patch and reboot. what we do see is since our secondary is primary MNT, we loose live logs while it's down.

Thank for your reply. 

This is exactly I wanted to know about the process after the patching of each nodes. 

For a patch, we see the primary patch and reboot first, once up we see the secondary node patch and reboot. what we do see is since our secondary is primary MNT, we loose live logs while it's down.

Tariq Mahmoud
Level 1
Level 1

If you patch from CLI, you will have more control over which node to be patched first. You can start wit the CLI of the Secondary and patch it and then it will reboot.
Once the Secondary is up and running after the reboot, you can start with the Primary ISE node from the CLI. 

There should be no outage, unless if any of the NADs (wireless/switches) is configured only with a single ISE server instead of both ISE servers.