cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ISE 2.4 Patch 2 Release Now Available

6557
Views
160
Helpful
33
Comments
Cisco Employee

ISE 2.4 Patch 2 Release is now available at Cisco Software Download for ISE 2.4. Resolved Caveats in Cisco ISE Release 2.4 - Cumulative Patch 2 has more info.

 

Update 2018-Aug-03: This Patch Release has been re-posted on 2018-Aug-02. The new bundle file name is

ise-patchbundle-2.4.0.357-Patch2-18080100.SPA.x86_64.tar.gz

 

Due to CSCvk57963, it replaces the previous posted bundle which has the filename ise-patchbundle-2.4.0.357-Patch2-18072612.SPA.x86_64.tar.gz.

33 Comments
VIP Advocate

You and me both Marvin ;)

Hall of Fame Community Legend
Pass the popcorn. The fireworks is about to start.
Collaborator

If anyone applied the patch, especially to a deployment that has 8 or more nodes, please share the results. Much appreciated. 

Hall of Fame Community Legend

@Ping Zhou wrote:

If anyone applied the patch, especially to a deployment that has 8 or more nodes, please share the results.


I'm with Marvin. I'm going to wait, for about four to six weeks, before doing anything. Y'know, "just in case".

Beginner

7 Node deployment - no issues yet, other than context visibility is still borked but has been for the last several 2.x versions.

Beginner

@hslai wrote:

ISE 2.4 Patch 2 Release is now available at Cisco Software Download for ISE 2.4. Resolved Caveats in Cisco ISE Release 2.4 - Cumulative Patch 2 has more info.

 

Update 2018-Aug-03: This Patch Release has been re-posted on 2018-Aug-02. The new bundle file name is

ise-patchbundle-2.4.0.357-Patch2-18080100.SPA.x86_64.tar.gz

 

Due to CSCvk57963, it replaces the previous posted bundle which has the filename ise-patchbundle-2.4.0.357-Patch2-18072612.SPA.x86_64.tar.gz.


Has anyone experienced any serious issues with their deployment since patch 2 release?   I'm also curious on how it behaves on a 6+ node deployment.  

Hall of Fame Community Legend

@iseman-18 wrote:

Has anyone experienced any serious issues with their deployment since patch 2 release? I'm also curious on how it behaves on a 6+ node deployment.



I'd recommend hold off for now until Cisco release a new patch to fix the Apache Struts Remote Code Execution Vulnerability (August 2018).

Beginner

Good call,  thank you.   When is the ETA for the next patch? 

Hall of Fame Community Legend

@iseman-18 wrote:

Good call, thank you. When is the ETA for the next patch?



Struts v2 fix was released a few hours ago.  

Please let us know if the patch works. 

Hall of Fame Master

I applied the Struts v2 hotfix and it works fine.

 

Unless you really need that fix, I'd wait until it's rolled into the next 2.4 patch release - Patch 3 will probably be out later in September.

 

Hotfixes are generally recommended for customers with immediate concerns about the issue remedied by the hotfix. They are subject to a lesser set of regression testing than full patches and are typically deployed to fewer customer systems, giving us less "real world" deployments to provide potential feedback.

VIP Advocate

I think I have asked this question elsewhere on this Community before, but the answer wasn't 100% certain:  can we simply install patch 3 on a system that is running one or more hotfixes?   E.g, customer has ISE 2.4 patch 2 and wants Struts2 hotfix.  Then in September patch 3 comes along.  What happens if we simply install patch 3?  I cannot imaging putting customers through the pain of "rolling back" hotfix, with all the downtime involved, and then more downtime by installing patch 3.  Can someone please confirm

Hall of Fame Master

Patch installation should not require a hotfix rollback. Generally the Patch should include hotfixes that were publicly released prior to the patch. There may be corner cases where a hotfix was released after the code was frozen for final QA and publication/distribution to the CDN.

 

Special file publish hotfixes may be an exception to this rule but then they aren't publicly released.

 

When in doubt check the release notes when a new patch is released or open a TAC case to confirm.

Beginner

Hello, it looks like patch 3 was released yesterday.   Cisco is moving fast!  Is it safe to deploy?  

Hall of Fame Master

@iseman-18 it's a bit too soon to tell after only 24 hours or so.

 

I can confirm that it installed fine on my lab server (VM) and a greenfield deployment I am doing just now (2 nodes on SNS-3515 appliances).

VIP Advocate

@iseman-18 Unless there is a production impacting bug you are actively trying to fix, it's probably best to let the patch soak for a week or two.  They obviously test patches prior to release, but it's next to impossible to account for every situation.  

 

P3 certainly arrived sooner than I thought it would.  Time to follow Marvins lead and throw it on the lab deployments.