Cisco ISE patch Install Example

Cisco ISE patch Install Example

Cisco releases ISE patches occasionally, like 3 or 4 patches a year for each version. The patches contain bug and security fixes. When you install a patch on an ISE node, the node is rebooted and all the services are restarted. The patch installation might take a few hours to complete. Patience is the key as once I had to wait around 5 hours for the installation to complete on two of the ISE nodes.

The patch files can be downloaded on the cisco website https://software.cisco.com/download/home/283801620/type/283802505/release/3.0.0

When you install a patch from the Primary Admin node that is part of a two-node deployment, the patch will be installed on the primary node first and then on the secondary node. If the patch installation is successful on the Primary admin node, the installation will then continue to the secondary node. If it fails on the Primary admin node, the installation does not proceed to the secondary node.

If you have a standalone ISE deployment, ensure to perform the patching out of the business hour to minimize any downtime. In this blog, I'm going to install Patch 4 on Cisco ISE version 3.0. I've already downloaded the patch file from the Cisco website.

Patch Installation

The process is extremely straightforward, navigate to Administration > system > Patch Management > Install Patch upload the patch file and click install.

Please note that when you click ‘install’ nothing happens, no status etc. This is normal and after a few minutes, you will be logged out from ISE.

If you have zero patience as I do, you can go to the CLI and check the status of the different services but there is no way to see the installation progress.

As you can see below, some of the ‘services’ are not running which indicates that the installation is in progress. At this point, all the authentications are handled by the secondary node (if you have a distributed deployment)

ise-01/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          104045      
Database Server                        running          84 PROCESSES
Application Server                     not running                  
Profiler Database                      running          110057      
ISE Indexing Engine                    running          115938      
AD Connector                           running          118970      
M&T Session Database                   running          109839      
M&T Log Processor                      not running                  
Certificate Authority Service          not running                  
EST Service                            not running                  
SXP Engine Service                     disabled                     
Docker Daemon                          running          106483      
TC-NAC Service                         disabled        
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
PassiveID WMI Service                  disabled                     
PassiveID Syslog Service               disabled                     
PassiveID API Service                  disabled                     
PassiveID Agent Service                disabled                     
PassiveID Endpoint Service             disabled                     
PassiveID SPAN Service                 disabled                     
DHCP Server (dhcpd)                    disabled                     
DNS Server (named)                     disabled                     
ISE Messaging Service                  not running                  
ISE API Gateway Database Service       running          109011      
ISE API Gateway Service                running          112334      
Segmentation Policy Service            disabled                     
REST Auth Service                      disabled                     
SSE Connector                          disabled  

After a while, I did check the services again and can see all the services are running. You can verify whether the patch is installed or not by running show version command or via the web GUI.

ise-01/admin# show version 

Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.8.105
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2020 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-01


Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version      : 3.0.0.458
Build Date   : Sat Aug 29 20:51:28 2020
Install Date : Sat Nov  6 08:28:05 2021

Cisco Identity Services Engine Patch 
---------------------------------------------
Version      : 4
Install Date : Wed Jan 05 20:29:00 2022

Rollback

ISE installs the patch on one node at a time. If there is an issue during the installation, the patch is automatically rolled back.

However, if there is an issue after the installation is completed, you can manually roll back the patch by clicking the ‘rollback’ button. (Please ensure to login with the ‘admin’ account to rollback the patch)