Cisco releases ISE patches occasionally, like 3 or 4 patches a year for each version. The patches contain bug and security fixes. When you install a patch on an ISE node, the node is rebooted and all the services are restarted. The patch installation might take a few hours to complete. Patience is the key as once I had to wait around 5 hours for the installation to complete on two of the ISE nodes.
The patch files can be downloaded on the cisco website https://software.cisco.com/download/home/283801620/type/283802505/release/3.0.0
When you install a patch from the Primary Admin node that is part of a two-node deployment, the patch will be installed on the primary node first and then on the secondary node. If the patch installation is successful on the Primary admin node, the installation will then continue to the secondary node. If it fails on the Primary admin node, the installation does not proceed to the secondary node.
If you have a standalone ISE deployment, ensure to perform the patching out of the business hour to minimize any downtime. In this blog, I'm going to install Patch 4 on Cisco ISE version 3.0. I've already downloaded the patch file from the Cisco website.
Patch Installation
The process is extremely straightforward, navigate to Administration > system > Patch Management > Install Patch upload the patch file and click install.
Please note that when you click ‘install’ nothing happens, no status etc. This is normal and after a few minutes, you will be logged out from ISE.
If you have zero patience as I do, you can go to the CLI and check the status of the different services but there is no way to see the installation progress.
As you can see below, some of the ‘services’ are not running which indicates that the installation is in progress. At this point, all the authentications are handled by the secondary node (if you have a distributed deployment)
ise-01/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 104045
Database Server running 84 PROCESSES
Application Server not running
Profiler Database running 110057
ISE Indexing Engine running 115938
AD Connector running 118970
M&T Session Database running 109839
M&T Log Processor not running
Certificate Authority Service not running
EST Service not running
SXP Engine Service disabled
Docker Daemon running 106483
TC-NAC Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
PassiveID WMI Service disabled
PassiveID Syslog Service disabled
PassiveID API Service disabled
PassiveID Agent Service disabled
PassiveID Endpoint Service disabled
PassiveID SPAN Service disabled
DHCP Server (dhcpd) disabled
DNS Server (named) disabled
ISE Messaging Service not running
ISE API Gateway Database Service running 109011
ISE API Gateway Service running 112334
Segmentation Policy Service disabled
REST Auth Service disabled
SSE Connector disabled
After a while, I did check the services again and can see all the services are running. You can verify whether the patch is installed or not by running show version
command or via the web GUI.
ise-01/admin# show version
Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.8.105
ADE-OS System Architecture: x86_64
Copyright (c) 2005-2020 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-01
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 3.0.0.458
Build Date : Sat Aug 29 20:51:28 2020
Install Date : Sat Nov 6 08:28:05 2021
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4
Install Date : Wed Jan 05 20:29:00 2022
Rollback
ISE installs the patch on one node at a time. If there is an issue during the installation, the patch is automatically rolled back.
However, if there is an issue after the installation is completed, you can manually roll back the patch by clicking the ‘rollback’ button. (Please ensure to login with the ‘admin’ account to rollback the patch)