Cisco Software Patches
Cisco software patches are always cumulative. Cisco allows you to perform patch installation and rollback from CLI or GUI.
You can install patches on Cisco servers in your deployment from the Primary PAN. To install a patch from the Primary PAN, you must download the patch from Cisco.com to the system that runs your client browser.
patch install <patch_bundle> <repository_that_stores_patch_file>
For more information, see the "install Patch" section in the "Cisco ISE CLI Commands in EXEC Mode" chapter in Cisco Identity Services Engine CLI Reference Guide.
show version
Software Patch Installation Guidelines
When you install a patch on an ISE node, the node is rebooted after the installation is complete. You might have to wait for a few minutes before you can log in again. You can schedule patch installations during a maintenance window to avoid temporary outage.
Ensure that you install patches that are applicable for the Cisco version that is deployed in your network. Cisco reports any mismatch in versions as well as any errors in the patch file.
You cannot install a patch with a version that is lower than the patch that is currently installed on Cisco . Similarly, you cannot roll back changes of a lower-version patch if a higher version is currently installed on Cisco . For example, if patch 3 is installed on your Cisco servers, you cannot install or roll back patch 1 or 2.
When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.
When you install a patch from the Primary PAN that is part of a two-node deployment, Cisco installs the patch on the primary node and then on the secondary node. If the patch installation is successful on the Primary PAN, Cisco then continues patch installation on the secondary node. If it fails on the Primary PAN, the installation does not proceed to the secondary node.
Install a Software Patch
![]() Note |
Cisco ISE allows you to install a patch on an Inline Posture node only through the CLI. |
Before you begin
-
You must have the Super Admin or System Admin administrator role assigned.
-
Go to Enable PAN Auto Failover check box is unchecked. The PAN auto-failover configuration must be disabled for the duration of this task.
, and ensure that the
Procedure
Step 1 |
Choose Install. > |
||
Step 2 |
Click Browse and choose the patch that you downloaded from Cisco.com. |
||
Step 3 |
Click Install to install the patch. After the patch is installed on the PAN, Cisco logs you out and you have to wait for a few minutes before you can log in again.
|
||
Step 4 |
Choose to return to the Patch Installation page. |
||
Step 5 |
Click the radio button next to the patch that you have installed on any secondary node and click Show Node Status to verify whether installation is complete. |
What to do next
If you need to install the patch on one or more secondary nodes, ensure that the nodes are up and repeat the process to install the patch on the remaining nodes.
Roll Back Software Patches
When you roll back a patch from the PAN that is part of a deployment with multiple nodes, Cisco rolls back the patch on the primary node and then all the secondary nodes in the deployment.
Before you begin
-
You must have either the Super Admin or System Admin administrator role assigned.
Procedure
Step 1 |
Choose . |
||
Step 2 |
Click the radio button for the patch version whose changes you want to roll back and click Rollback.
|
||
Step 3 |
After you log in, click the Alarms link at the bottom of the page to view the status of the rollback operation. |
||
Step 4 |
To view the progress of the patch rollback, choose the patch in the Patch Management page and click Show Node Status. |
||
Step 5 |
Click the radio button for the patch and click Show Node Status on a secondary node to ensure that the patch is rolled back from all the nodes in your deployment. If the patch is not rolled back from any of the secondary nodes, ensure that the node is up and repeat the process to roll back the changes from the remaining nodes. Cisco only rolls back the patch from the nodes that still have this version of the patch installed. |
Software Patch Rollback Guidelines
To roll back a patch from Cisco ISE nodes in a deployment, you must first roll back the change from the PAN. If this is successful, the patch is then rolled back from the secondary nodes. If the rollback process fails on the PAN, the patches are not rolled back from the secondary nodes. However, if the patch rollback fails on any secondary node, it still continues to roll back the patch from the next secondary node in your deployment.
While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from the PAN GUI. The secondary nodes will be restarted after the rollback.
View Patch Install and Rollback Changes
The monitoring and troubleshooting component of Cisco ISE provides information on the patch installation and rollback operations that are performed on your Cisco ISE nodes according to a time period that you specify.
Before you begin
You must have either the Super Admin or System Admin administrator role assigned.
Procedure
Step 1 |
Choose . |
Step 2 |
Click the Server Operations Audit radio button, click Run, and choose the time period for which you want to generate the report. |
Step 3 |
Click the Launch Interactive Viewer link in the upper right corner of the page to view, sort, and filter the data in this report. |