Hey
Today I was upgrading some ISE servers and thought I’d give you a skinny of what’s involved. It’s a fairly straightforward process, although a bit stressful, because you’re upgrading the radius servers so you wonder what new bugs the patch has, and how many dot1x tickets Monday will bring you (spoonful? handful? boatload?). The important thing is: don’t sweat it. If I could do it, so can you.
- Put a patch file on an FTP server. Create a user ftpuser with the password mypassword on the ftp server with the correct access rights to the folder with the patch.
- Make sure that ISE can reach the FTP server. If necessary, open ports on any firewall in between ISE and FTP
- Log in to ISE via CLI (my preferred method).
- Create a repo:
conf t
repo myrepo
url ftp://10.0.0.1//IOS
user ftpuser password plain mypassword
exit
5. Make sure you can see the repo on the ISE server
show repo
6. If you see the files in the show repo output, now it’s time to install the patch. First install the patch on the secondary admin/primary monitoring, then policy servers, finally primary admin/secondary monitoring (this was my setup)
patch install <herenameofpatchfile> myrepo
The system will ask you if you want to continue (yes), then it will ask you to confirm if md5 has matches with md5 hash on the cisco download center website (yes), then it will ask you to save running config (yes).
Patching takes around 10 minutes + around 5 minutes for the reboot.
7. Make sure other systems can see the patched system in the GUI, make sure that application server is running with the command:
show application status ise
For example, here the application server is still initializing:
myise01/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
——————————————————————–
Database Listener running 4553
Database Server running 55 PROCESSES
Application Server initializing
Profiler Database running 5568
AD Connector running 8449
M&T Session Database running 4130
M&T Log Collector running 8340
M&T Log Processor running 8284
Certificate Authority Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
Identity Mapping Service disabled
myise/admin#
There’s a nice video on labminutes that shows all this: