cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

420
Views
0
Helpful
1
Replies
dgaikwad
Contributor

Patching nodes

Recently I was testing the application of patch 5 to 2.4. I chose to do the patching using CLI.

I applied patch 5 to the secondary PAN first, the patch got applied without any issues, and the node is still connected to the cluster there has been no error reported.

The questions it that, when I am creating a cluster ISE asks for every node to be on same version and patch level. But, when I chose to apply the patch to a node in a cluster there was no check made! Is this an acceptable behaviour or am I missing a crucial step here?

Any pointers?

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

This is the expected behavior. While registering a node there is a check done to ensure the version and patch level matches. If the same check was done following registration, you would end up with nodes that are paper weights during patching. When you patch from the CLI it warns you that the patch will only be installed on the node you are logged in to. They can run with mismatched patch levels but I would suggest limiting the exposure and finish patching in one change window if possible.

Another note, patching should begin with the primary admin node, then progress to the other nodes.

Other than that, patching from the CLI is very straight forward as you found out. A single command and you can run multiple nodes in parallel, I find it far superior to using the GUI when dealing with large environments because of this.

View solution in original post

1 REPLY 1
Damien Miller
VIP Advisor

This is the expected behavior. While registering a node there is a check done to ensure the version and patch level matches. If the same check was done following registration, you would end up with nodes that are paper weights during patching. When you patch from the CLI it warns you that the patch will only be installed on the node you are logged in to. They can run with mismatched patch levels but I would suggest limiting the exposure and finish patching in one change window if possible.

Another note, patching should begin with the primary admin node, then progress to the other nodes.

Other than that, patching from the CLI is very straight forward as you found out. A single command and you can run multiple nodes in parallel, I find it far superior to using the GUI when dealing with large environments because of this.
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube