First Published: October 20, 2022

Cisco ISE Software Patches

Cisco ISE software patches are always cumulative. Cisco ISE allows you to perform patch installation and rollback from CLI or GUI.

You can install patches on Cisco ISE servers in your deployment from the Primary PAN. To install a patch from the Primary PAN, you must download the patch from Cisco.com to the system that runs your client browser.

If you are installing the patch from the GUI, the patch is automatically installed on the Primary PAN first. The system then installs the patch on the other nodes in the deployment in the order listed in the GUI. You cannot control the order in which the nodes are updated. You can also manually install, roll back, and view patch version. In the Cisco ISE GUI, click the Menu icon () and choose Administrator > System > Maintenance > Patch management.

If you are installing the patch from the CLI, you can control the order in which the nodes are updated. However, we recommend that you install the patch on the Primary PAN first. The order of installation on the rest of the nodes is irrelevant. You can install the patch on multiple nodes simultaneously, to speed up the process.

If you want to validate the patch on some of the nodes before upgrading the entire deployment, you can use the CLI to install the patch on selected nodes. Use the following CLI command to install the patch:
patch install <patch_bundle> <repository_that_stores_patch_file>

For more information, see the "install Patch" section in the "Cisco ISE CLI Commands in EXEC Mode" chapter in Cisco Identity Services Engine CLI Reference Guide.

You can install the required patch version directly. For example, if you are currently using Cisco ISE 2.x and would like to install Cisco ISE 2.x patch 5, you can directly install Cisco ISE 2.x patch 5, without installing the previous patches (in this example, Cisco ISE 2.x patches 1 – 4). To view the patch version in the CLI, use the following CLI command:
show version

Software Patch Installation Guidelines

When you install a patch on an ISE node, the node is rebooted after the installation is complete. You might have to wait for a few minutes before you can log in again. You can schedule patch installations during a maintenance window to avoid temporary outage.

Ensure that you install patches that are applicable for the Cisco ISE version that is deployed in your network. Cisco ISE reports any mismatch in versions as well as any errors in the patch file.

You cannot install a patch with a version that is lower than the patch that is currently installed on Cisco ISE. Similarly, you cannot roll back changes of a lower-version patch if a higher version is currently installed on Cisco ISE. For example, if patch 3 is installed on your Cisco ISE servers, you cannot install or roll back patch 1 or 2.

When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.

When you install a patch from the Primary PAN that is part of a two-node deployment, Cisco installs the patch on the primary node and then on the secondary node. If the patch installation is successful on the Primary PAN, Cisco then continues patch installation on the secondary node. If it fails on the Primary PAN, the installation does not proceed to the secondary node.

Install a Software Patch

Before you begin

  • You must have the Super Admin or System Admin administrator role assigned.

  • In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Deployment > PAN Failover, and ensure that the Enable PAN Auto Failover check box is unchecked. The PAN auto-failover configuration must be disabled for the duration of this task.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management > Install.

Step 2

Click Browse and choose the patch that you downloaded from Cisco.com.

Step 3

Click Install to install the patch.

After the patch is installed on the PAN, Cisco ISE logs you out and you have to wait for a few minutes before you can log in again.

Note 

When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

Step 4

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management to return to the Patch Installation page.

Step 5

Click the radio button next to the patch that you have installed and click Show Node Status to verify whether installation is complete.

Roll Back Software Patches

When you roll back a patch from the PAN that is part of a deployment with multiple nodes, Cisco ISE rolls back the patch on the primary node and then all the secondary nodes in the deployment.

Before you begin

  • You must have either the Super Admin or System Admin administrator role assigned.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and chooseAdministration > System > Maintenance > Patch Management.

Step 2

Click the radio button for the patch version whose changes you want to roll back and click Rollback.

Note 

When a patch rollback is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

After the patch is rolled back from the PAN, Cisco ISE logs you out and you have to wait a few minutes before you can log in again.

Step 3

After you log in, click the Alarms link at the bottom of the page to view the status of the rollback operation.

Step 4

To view the progress of the patch rollback, choose the patch in the Patch Management page and click Show Node Status.

Step 5

Click the radio button for the patch and click Show Node Status on a secondary node to ensure that the patch is rolled back from all the nodes in your deployment.

If the patch is not rolled back from any of the secondary nodes, ensure that the node is up and repeat the process to roll back the changes from the remaining nodes. Cisco ISE only rolls back the patch from the nodes that still have this version of the patch installed.

Software Patch Rollback Guidelines

To roll back a patch from Cisco ISE nodes in a deployment, you must first roll back the change from the PAN. If this is successful, the patch is then rolled back from the secondary nodes. If the rollback process fails on the PAN, the patches are not rolled back from the secondary nodes. However, if the patch rollback fails on any secondary node, it still continues to roll back the patch from the next secondary node in your deployment.

While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from the PAN GUI. The secondary nodes will be restarted after the rollback.

View Patch Install and Rollback Changes

To view reports related to installed patches, perform the following steps.

Before you begin

You must have either the Super Admin or System Admin administrator role assigned. You can install or rollback patches In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management window. You can also view the status (installed/in-progress/not installed) of a particular patch on each node in the deployment, by selecting a specific patch and clicking the Show Node Status button.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Operations > Reports > Audit > Operations Audit. By default, records for the last seven days are displayed.
Step 2

Click the Filter drop-down, and choose Quick Filter or Advanced Filter and use the required keyword, for example, patch install iniated, to generate a report containing the installed patches.