Solved: Stable version between ISE 2.3 and 2.4

Arie -- · ‎09-10-2018

Hi,

Currently we are running ISE 2.3 with patch 4 for device administration (TACACS+) feature only.

We deploy as primary-secondary. Now, the ISE version 2.4 is available.

Which one is stable between ISE 2.3 and 2.4? What would you recommend?

Thank you

Arie

Jason Kunst · ‎09-10-2018

Recommend staying with 2.3 Until 2.4 is recommended long term release and then move to that. There is currently no ETA.

Unless having trouble or needing something in 2.4 wouldn’t recommend moving until then

View solution in original post

yshchory · ‎09-10-2018

Not disagreeing with Jason, let me slightly widen and refine the message here.

Current FORMAL message for new deployments is to go with 2.2 if you don't have an SDA deployment and 2.3 if you do want to integrate with DNA for SDA. Having said that, 2.4 is getting great traction and now that we're already 3 patches strong, we also see good quality metrics with it. So while I'm quite a strong believer of "don't fix what ain't broken", I think that 2.4 is quite near being declared the "recommended" release for both SDA and non-SDA deployments.

Yuval

View solution in original post

Jason Kunst · ‎09-10-2018

Recommend staying with 2.3 Until 2.4 is recommended long term release and then move to that. There is currently no ETA.

Unless having trouble or needing something in 2.4 wouldn’t recommend moving until then

gbekmezi-DD · ‎09-10-2018

Thanks Jason, that’s the first I’ve heard that. I had read 2.4 unless you were an early adopter of DNA Center and needed that integration.

Jason Kunst · ‎09-10-2018

Its been 2.2 for a while and hasn’t been moved to 2.4 yet. Getting close with these upcoming patches.

yshchory · ‎09-10-2018

Not disagreeing with Jason, let me slightly widen and refine the message here.

Current FORMAL message for new deployments is to go with 2.2 if you don't have an SDA deployment and 2.3 if you do want to integrate with DNA for SDA. Having said that, 2.4 is getting great traction and now that we're already 3 patches strong, we also see good quality metrics with it. So while I'm quite a strong believer of "don't fix what ain't broken", I think that 2.4 is quite near being declared the "recommended" release for both SDA and non-SDA deployments.

Yuval

paul · ‎09-10-2018

The fact that we are already 3 patches "strong" in 2.4 should tell you something. There was a lot of stuff broken in 2.4. This may be the fastest version to 3 patches. I am hoping with patch 3 some of the nagging issues with 2.4 will be fixed.

Damien Miller · ‎09-10-2018

Patch 4 has some important fixes coming too.

yshchory · ‎09-10-2018

Paul,

Fully agree with you with regards to 2.4 being the fastest in terms of 3 patches – however this is NOT unintentional. In order to drive 2.4 to become the recommended release, we have gotten ourselves into a “patching cadence on steroids” state so we can fix bugs as fast as possible and as they come.

So, all in all not disagreeing with you – his is very intentional and is based on the fact that there is no way to release software completely free of bugs, yet we understand that ISE is an infrastructure product and as such we have to ensure we fix those truly fast.

Yuval

paul · ‎09-10-2018

Yuval,

Thanks for the explanation on the new patching philosophy. As Damien said hopefully patch 4 will fix issues like the no CoA sent on reprofile bug I just got refiled (CSCvm22838) and possibly the AD profiler not using DNS information issue I identified in TAC case 685074159.

Arne Bier · ‎09-10-2018

I think there is something fundamentally wrong when the newer releases are considered less stable than the previous releases, since, one would hope that things that worked in 2.2 would still work in 2.4. I see the same banal argumentation in the Cisco WLC trains (there are so many releases to choose from ... but stay on the "oldest" if you want your stuff to actually work).

We need products that work cumulatively and where customers can be confident that their existing features will continue working while they start testing the new features. Sure, new features are entitled to have teething problems.

I am not convinced that customers on 2.2 are working flawlessly. They're probably wondering whether the grass is greener on the other side and we're telling them that it's not.

At some stage Cisco will have so many parallel trains of ISE code to maintain that it seems to me they will be diluting the efforts of their sustaining engineering department, instead of consolidating and making one version that works properly.

Arie -- · ‎09-10-2018

Good discussion guys.
Now I have reference to choose between ISE 2.3 or 2.4.
I understand that in software programming, there is no free of bugs. It depends on what feature that you use on ISE. But sometimes the feature that running minimum issue in current version become more and more issue in the next version. And that’s I’m afraid of.
So, I think I will stay on version 2.3 to run device administration on Cisco ISE.

Thank you
Arie

Marvin Rhoads · ‎09-10-2018

I've done three production deployments with 2.4 thus far and my customers have been happy with it.

Especially for greenfield deployments, customers should be much happier working with the new policy studio that was introduced in 2.3.

In general, the even numbered ISE release ordinals (2.2, 2.4 etc.) will be long term support.