cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10465
Views
160
Helpful
33
Comments
hslai
Cisco Employee
Cisco Employee

ISE 2.4 Patch 2 Release is now available at Cisco Software Download for ISE 2.4. Resolved Caveats in Cisco ISE Release 2.4 - Cumulative Patch 2 has more info.

 

Update 2018-Aug-03: This Patch Release has been re-posted on 2018-Aug-02. The new bundle file name is

ise-patchbundle-2.4.0.357-Patch2-18080100.SPA.x86_64.tar.gz

 

Due to CSCvk57963, it replaces the previous posted bundle which has the filename ise-patchbundle-2.4.0.357-Patch2-18072612.SPA.x86_64.tar.gz.

33 Comments
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

You and me both Marvin ;)

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend
Pass the popcorn. The fireworks is about to start.
Ping Zhou
Collaborator
Collaborator

If anyone applied the patch, especially to a deployment that has 8 or more nodes, please share the results. Much appreciated. 

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

@Ping Zhou wrote:

If anyone applied the patch, especially to a deployment that has 8 or more nodes, please share the results.


I'm with Marvin. I'm going to wait, for about four to six weeks, before doing anything. Y'know, "just in case".

cjwolff
Beginner
Beginner

7 Node deployment - no issues yet, other than context visibility is still borked but has been for the last several 2.x versions.

iseman-18
Beginner
Beginner

@hslai wrote:

ISE 2.4 Patch 2 Release is now available at Cisco Software Download for ISE 2.4. Resolved Caveats in Cisco ISE Release 2.4 - Cumulative Patch 2 has more info.

 

Update 2018-Aug-03: This Patch Release has been re-posted on 2018-Aug-02. The new bundle file name is

ise-patchbundle-2.4.0.357-Patch2-18080100.SPA.x86_64.tar.gz

 

Due to CSCvk57963, it replaces the previous posted bundle which has the filename ise-patchbundle-2.4.0.357-Patch2-18072612.SPA.x86_64.tar.gz.


Has anyone experienced any serious issues with their deployment since patch 2 release?   I'm also curious on how it behaves on a 6+ node deployment.  

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

@iseman-18 wrote:

Has anyone experienced any serious issues with their deployment since patch 2 release? I'm also curious on how it behaves on a 6+ node deployment.



I'd recommend hold off for now until Cisco release a new patch to fix the Apache Struts Remote Code Execution Vulnerability (August 2018).

iseman-18
Beginner
Beginner

Good call,  thank you.   When is the ETA for the next patch? 

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

@iseman-18 wrote:

Good call, thank you. When is the ETA for the next patch?



Struts v2 fix was released a few hours ago.  

Please let us know if the patch works. 

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I applied the Struts v2 hotfix and it works fine.

 

Unless you really need that fix, I'd wait until it's rolled into the next 2.4 patch release - Patch 3 will probably be out later in September.

 

Hotfixes are generally recommended for customers with immediate concerns about the issue remedied by the hotfix. They are subject to a lesser set of regression testing than full patches and are typically deployed to fewer customer systems, giving us less "real world" deployments to provide potential feedback.

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

I think I have asked this question elsewhere on this Community before, but the answer wasn't 100% certain:  can we simply install patch 3 on a system that is running one or more hotfixes?   E.g, customer has ISE 2.4 patch 2 and wants Struts2 hotfix.  Then in September patch 3 comes along.  What happens if we simply install patch 3?  I cannot imaging putting customers through the pain of "rolling back" hotfix, with all the downtime involved, and then more downtime by installing patch 3.  Can someone please confirm

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Patch installation should not require a hotfix rollback. Generally the Patch should include hotfixes that were publicly released prior to the patch. There may be corner cases where a hotfix was released after the code was frozen for final QA and publication/distribution to the CDN.

 

Special file publish hotfixes may be an exception to this rule but then they aren't publicly released.

 

When in doubt check the release notes when a new patch is released or open a TAC case to confirm.

iseman-18
Beginner
Beginner

Hello, it looks like patch 3 was released yesterday.   Cisco is moving fast!  Is it safe to deploy?  

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

@iseman-18 it's a bit too soon to tell after only 24 hours or so.

 

I can confirm that it installed fine on my lab server (VM) and a greenfield deployment I am doing just now (2 nodes on SNS-3515 appliances).

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

@iseman-18 Unless there is a production impacting bug you are actively trying to fix, it's probably best to let the patch soak for a week or two.  They obviously test patches prior to release, but it's next to impossible to account for every situation.  

 

P3 certainly arrived sooner than I thought it would.  Time to follow Marvins lead and throw it on the lab deployments. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: