Patching ISE in a distributed deployment

Hey

Today I was upgrading some ISE servers and thought I’d give you a skinny of what’s involved. It’s a fairly straightforward process, although a bit stressful, because you’re upgrading the radius servers so you wonder what new bugs the patch has, and how many dot1x tickets Monday will bring you (spoonful? handful? boatload?). The important thing is: don’t sweat it. If I could do it, so can you.

  1. Put a patch file on an FTP server. Create a user ftpuser with the password mypassword on the ftp server with the correct access rights to the folder with the patch.
  2. Make sure that ISE can reach the FTP server. If necessary, open ports on any firewall in between ISE and FTP
  3. Log in to ISE via CLI (my preferred method).
  4. Create a repo:

conf t

repo myrepo

url ftp://10.0.0.1//IOS

user ftpuser password plain mypassword

exit

5. Make sure you can see the repo on the ISE server

show repo

6. If you see the files in the show repo output, now it’s time to install the patch. First install the patch on the secondary admin/primary monitoring, then policy servers, finally primary admin/secondary monitoring (this was my setup)

patch install <herenameofpatchfile> myrepo

The system will ask you if you want to continue (yes), then it will ask you to confirm if md5 has matches with md5 hash on the cisco download center website (yes), then it will ask you to save running config (yes).

Patching takes around 10 minutes + around 5 minutes for the reboot.

7. Make sure other systems can see the patched system in the GUI, make sure that application server is running with the command:

show application status ise

For example, here the application server is still initializing:

myise01/admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID
——————————————————————–
Database Listener running 4553
Database Server running 55 PROCESSES
Application Server initializing
Profiler Database running 5568
AD Connector running 8449
M&T Session Database running 4130
M&T Log Collector running 8340
M&T Log Processor running 8284
Certificate Authority Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
Identity Mapping Service disabled

myise/admin#

There’s a nice video on labminutes that shows all this:

 

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s