Cisco Software Patches

Cisco software patches are always cumulative. Cisco allows you to perform patch installation and rollback from CLI or GUI.

You can install patches on Cisco servers in your deployment from the Primary PAN. To install a patch from the Primary PAN, you must download the patch from Cisco.com to the system that runs your client browser.

If you want to validate the patch on some of the nodes before upgrading the entire deployment, you can use the CLI to install the patch on selected nodes. Use the following CLI command to install the patch:
patch install <patch_bundle> <repository_that_stores_patch_file>

For more information, see the "install Patch" section in the "Cisco ISE CLI Commands in EXEC Mode" chapter in Cisco Identity Services Engine CLI Reference Guide.

You can install the required patch version directly. For example, if you are currently using Cisco ISE 2.x and would like to install Cisco ISE 2.x patch 5, you can directly install Cisco ISE 2.x patch 5, without installing the previous patches (in this example, Cisco ISE 2.x patches 1 – 4). To view the patch version in the CLI, use the following CLI command:
show version

Software Patch Installation Guidelines

When you install a patch on an ISE node, the node is rebooted after the installation is complete. You might have to wait for a few minutes before you can log in again. You can schedule patch installations during a maintenance window to avoid temporary outage.

Ensure that you install patches that are applicable for the Cisco version that is deployed in your network. Cisco reports any mismatch in versions as well as any errors in the patch file.

You cannot install a patch with a version that is lower than the patch that is currently installed on Cisco . Similarly, you cannot roll back changes of a lower-version patch if a higher version is currently installed on Cisco . For example, if patch 3 is installed on your Cisco servers, you cannot install or roll back patch 1 or 2.

When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.

When you install a patch from the Primary PAN that is part of a two-node deployment, Cisco installs the patch on the primary node and then on the secondary node. If the patch installation is successful on the Primary PAN, Cisco then continues patch installation on the secondary node. If it fails on the Primary PAN, the installation does not proceed to the secondary node.

Install a Software Patch


Note

Cisco ISE allows you to install a patch on an Inline Posture node only through the CLI.


Before you begin

  • You must have the Super Admin or System Admin administrator role assigned.

  • Go to Administration > System > Deployment > PAN Failover, and ensure that the Enable PAN Auto Failover check box is unchecked. The PAN auto-failover configuration must be disabled for the duration of this task.

Procedure


Step 1

Choose Administration > System > Maintenance > Patch Management > Install.

Step 2

Click Browse and choose the patch that you downloaded from Cisco.com.

Step 3

Click Install to install the patch.

After the patch is installed on the PAN, Cisco logs you out and you have to wait for a few minutes before you can log in again.

Note 

When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

Step 4

Choose Administration > System > Maintenance > Patch Management to return to the Patch Installation page.

Step 5

Click the radio button next to the patch that you have installed on any secondary node and click Show Node Status to verify whether installation is complete.


What to do next

If you need to install the patch on one or more secondary nodes, ensure that the nodes are up and repeat the process to install the patch on the remaining nodes.

Roll Back Software Patches

When you roll back a patch from the PAN that is part of a deployment with multiple nodes, Cisco rolls back the patch on the primary node and then all the secondary nodes in the deployment.

Before you begin

  • You must have either the Super Admin or System Admin administrator role assigned.

Procedure


Step 1

Choose Administration > System > Maintenance > Patch Management.

Step 2

Click the radio button for the patch version whose changes you want to roll back and click Rollback.

Note 

When a patch rollback is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

After the patch is rolled back from the PAN, Cisco ISE logs you out and you have to wait a few minutes before you can log in again.

Step 3

After you log in, click the Alarms link at the bottom of the page to view the status of the rollback operation.

Step 4

To view the progress of the patch rollback, choose the patch in the Patch Management page and click Show Node Status.

Step 5

Click the radio button for the patch and click Show Node Status on a secondary node to ensure that the patch is rolled back from all the nodes in your deployment.

If the patch is not rolled back from any of the secondary nodes, ensure that the node is up and repeat the process to roll back the changes from the remaining nodes. Cisco only rolls back the patch from the nodes that still have this version of the patch installed.


Software Patch Rollback Guidelines

To roll back a patch from Cisco ISE nodes in a deployment, you must first roll back the change from the PAN. If this is successful, the patch is then rolled back from the secondary nodes. If the rollback process fails on the PAN, the patches are not rolled back from the secondary nodes. However, if the patch rollback fails on any secondary node, it still continues to roll back the patch from the next secondary node in your deployment.

While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from the PAN GUI. The secondary nodes will be restarted after the rollback.

View Patch Install and Rollback Changes

The monitoring and troubleshooting component of Cisco ISE provides information on the patch installation and rollback operations that are performed on your Cisco ISE nodes according to a time period that you specify.

Before you begin

You must have either the Super Admin or System Admin administrator role assigned.

Procedure


Step 1

Choose Operations > Reports > Catalog > Server Instance.

Step 2

Click the Server Operations Audit radio button, click Run, and choose the time period for which you want to generate the report.

Step 3

Click the Launch Interactive Viewer link in the upper right corner of the page to view, sort, and filter the data in this report.