First Published: June 22, 2021

Last Updated: September 9, 2025

Cisco ISE software patches

Cisco ISE software patches are always cumulative. Cisco ISE allows you to perform patch installation and rollback from CLI or GUI.

You can install patches on Cisco ISE servers in your deployment from the Primary PAN. To install a patch from the Primary PAN, you must download the patch from Cisco.com to the system that runs your client browser.

If you install the patch using the GUI, the system installs the patch on the Primary PAN first. The system installs the patch on the remaining nodes in the deployment according to the order shown in the GUI. You cannot change the update order. You can also manually install patches, roll back patches, and view patch versions. In the Cisco ISE GUI, click the Menu icon () and choose Administrator > System > Maintenance > Patch management.

When you install the patch from the CLI, you can control the update order for the nodes. However, we recommend installing the patch on the Primary PAN first. The installation order for the other nodes does not matter. You can install the patch on multiple nodes at the same time to speed up the process.

To validate the patch on specific nodes before upgrading the entire deployment, use the CLI to install the patch on those nodes.
patch install <patch_bundle> <repository_that_stores_patch_file>

For more information, see the "Install Patch" section in the "Cisco ISE CLI Commands in EXEC Mode" chapter in Cisco Identity Services Engine CLI Reference Guide.

You can install the required patch version directly. For example, if you are using Cisco ISE release 2.x and want to install patch 5, you can install patch 5 without installing patches 1 through 4.

To view the current patch version in the CLI, use this command:
show version

Software patch installation guidelines

When you install a patch on a Cisco ISE node, the node is rebooted after the installation is complete. You might have to wait for a few minutes before you can log in again. You can schedule patch installations during a maintenance window to avoid temporary outage.

Ensure that you install patches that are applicable for the Cisco ISE version that is deployed in your network. Cisco ISE reports any mismatch in versions as well as any errors in the patch file.

You cannot install a patch with a version that is lower than the patch that is currently installed on Cisco ISE. Similarly, you cannot roll back changes of a lower-version patch if a higher version is currently installed on Cisco ISE. For example, if patch 3 is installed on your Cisco ISE servers, you cannot install or roll back patch 1 or 2.

When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.

When you install a patch from the Primary PAN that is part of a two-node deployment, Cisco installs the patch on the primary node and then on the secondary node. If the patch installation is successful on the Primary PAN, Cisco then continues patch installation on the secondary node. If it fails on the Primary PAN, the installation does not proceed to the secondary node.

Install a software patch

Before you begin

  • You must have the Super Admin or System Admin administrator role assigned.

  • In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Deployment > PAN Failover, and ensure that the Enable PAN Auto Failover check box is unchecked. The PAN auto-failover configuration must be disabled for the duration of this task.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management > Install.

Step 2

Click Browse and choose the patch that you downloaded from Cisco.com.

Step 3

Click Install to install the patch.

After the patch is installed on the PAN, Cisco ISE logs you out and you have to wait for a few minutes before you can log in again.

Note

 

When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

Step 4

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management to return to the Patch Installation page.

Step 5

Click the radio button next to the patch that you have installed and click Show Node Status to verify whether installation is complete.

Roll back software patches

When you roll back a patch from the PAN in a deployment with multiple nodes, Cisco ISE rolls back the patch on the primary node and then on all the secondary nodes in the deployment.

Before you begin

  • Make sure you are assigned either the Super Admin or System Admin role.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and chooseAdministration > System > Maintenance > Patch Management.

Step 2

Select the patch version that you want to roll back, then click Rollback.

Note

 

When a patch rollback is in progress, only the Show Node Status function is accessible on the Patch Management page.

After Cisco ISE rolls back the patch from the PAN, you are logged out. Wait a few minutes before you log in again

Step 3

After you log in, click the Alarms link at the bottom of the page to view the status of the rollback operation.

Step 4

To view the progress of the patch rollback, choose the patch in the Patch Management page and click Show Node Status.

Step 5

Select the patch and click Show Node Status on a secondary node to ensure the patch is rolled back from all nodes in your deployment.

If the patch is not rolled back from any secondary node, ensure the node is operational. Repeat this process to roll back changes from any remaining nodes. Cisco ISE rolls back the patch only from nodes that still have this version of the patch installed.

Software patch rollback guidelines

To roll back a patch from Cisco ISE nodes in a deployment, you must first roll back the change from the PAN. If this is successful, the patch is then rolled back from the secondary nodes. If the rollback process fails on the PAN, the patches are not rolled back from the secondary nodes. However, if the patch rollback fails on any secondary node, it still continues to roll back the patch from the next secondary node in your deployment.

While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from the PAN GUI. The secondary nodes will be restarted after the rollback.

View patch install and roll back changes

To view reports for installed patches, follow these steps.

Before you begin

You must have either the Super Admin or System Admin administrator role assigned. You can install or roll back patches In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management window. You can view the status (installed, in progress, or not installed) for each node by selecting a patch and clicking Show Node Status.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Operations > Reports > Audit > Operations Audit. By default, records for the last seven days are displayed.

Step 2

Click the Filter drop-down, and choose either Quick Filter or Advanced Filter. Use the required keyword (for example, 'patch install initiated') to generate a report containing the installed patches.