Install Latest Patch

Cisco ISE software patches

Cisco ISE software patches are always cumulative. You can perform patch installation and rollback using these options:

  • Patch installation from Primary PAN: Patches are installed on Cisco ISE servers in your deployment starting from the Primary PAN. To install a patch from the Primary PAN, download the patch file from Cisco.com to the system running your client browser.

  • Patch installation using the GUI: When installing a patch using the GUI, the system installs the patch on the Primary PAN first. It then installs the patch on the remaining nodes in the deployment following the order displayed in the GUI, which cannot be changed. You can also manually install patches, roll back patches, and view patch versions by navigating to this path in the Cisco ISE GUI:

    Administrator > System > Maintenance > Patch Management

  • Using the CLI: Installing patches from the CLI allows you to control the update order of nodes. It is recommended to install the patch on the Primary PAN first, but the order for other nodes is flexible. You can install patches on multiple nodes simultaneously to expedite the process. To install a patch on specific nodes for validation before upgrading the entire deployment, use the CLI command:

    patch install <patch_bundle> <repository_that_stores_patch_file>

For more information, see "Install Patch" in the "Cisco ISE CLI Commands in EXEC Mode" chapter in the Cisco ISE CLI Reference Guide, Release 3.3.

You can install the required patch version directly. For example, if you are using Cisco ISE release 3.x and want to install patch 5, you can install patch 5 without installing patches 1 through 4.

To view the current patch version in the CLI, use this command:

show version

Software patch installation guidelines

Follow these guidelines while installing software patches:

  • When you install a patch on a Cisco ISE node, the node will reboot after the installation completes. You may need to wait a few minutes before you can log in again. Schedule patch installations during maintenance windows to minimize service disruption.

  • Ensure that the patch you install is compatible with the Cisco ISE version deployed in your network. Cisco ISE will report any version mismatches or errors in the patch file.

  • You cannot install a patch with a version lower than the currently installed patch on Cisco ISE. Similarly, rolling back to a lower-version patch is not allowed if a higher version is installed. For example, if patch 3 is installed, you cannot install or roll back to patch 1 or 2.

  • In a distributed deployment, when installing a patch from the Primary PAN, Cisco ISE installs the patch on the primary node first, then proceeds to the secondary nodes. If the patch installation succeeds on the Primary PAN, the process continues on the secondary nodes. If it fails on the Primary PAN, installation does not proceed to secondary nodes. If installation fails on any secondary node, the process continues with the next secondary node.

  • In a two-node deployment, Cisco installs the patch from the Primary PAN on the primary node first and then on the secondary node. If installation fails on the Primary PAN, it does not proceed to the secondary node.

Install a software patch

Before you begin

  • You must be assigned the Super Admin or System Admin role.

  • The PAN auto-failover configuration must be disabled for the duration of this task.

    To disable this setting, complete these steps:

    1. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Deployment > PAN Failover.

    2. Uncheck the Enable PAN Auto Failover check box.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management > Install.

Step 2

Click Browse and choose the patch that you downloaded from Cisco.com.

Step 3

Click Install to install the patch.

After the patch is installed on the PAN, Cisco ISE logs you out. You must wait a few minutes before logging in again.

When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

Step 4

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management to return to the Patch Installation page.

Step 5

Click the radio button next to the patch that you have installed. Click Show Node Status to verify installation is complete.

Roll back software patches

When you roll back a patch from the PAN in a deployment with multiple nodes, Cisco ISE rolls back the patch on the primary node and then on all the secondary nodes, depending on the deployment.

Before you begin

  • You must be assigned the Super Admin or System Admin role.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management.

Step 2

Select the patch version to roll back and then click Rollback.

When a patch rollback is in progress, only the Show Node Status function is accessible on the Patch Management page.

Cisco ISE logs you out after the patch is rolled back from the PAN. Wait a few minutes before you log in again.

Step 3

After you log in, click the Alarms link at the bottom of the page to view the status of the rollback operation.

Step 4

To view the progress of the patch rollback, choose the patch on the Patch Management page and click Show Node Status.

Step 5

Select the patch and click Show Node Status on a secondary node to ensure the patch is rolled back from all nodes in your deployment.

If the patch is not rolled back from any secondary node, ensure the node is operational. Repeat this process to roll back changes from any remaining nodes. Cisco ISE rolls back the patch only from nodes that still have this version of the patch installed.

Software patch rollback guidelines

To roll back a patch from Cisco ISE nodes in a deployment, you must do the following:

  • Roll back the patch first from PAN.

  • If the rollback on the PAN is successful, roll back the patch from the secondary nodes.

  • If the rollback fails on the PAN, do not roll back the patches from the secondary nodes.

  • If the rollback fails on any secondary node, continue to roll back the patch on the next secondary node in the deployment.

While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from the PAN GUI. The secondary nodes will be restarted after the rollback.

View patch install and roll back changes

You can install or roll back patches from the Cisco ISE GUI. In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Maintenance > Patch Management window. You can view the status for each node (installed, in progress, or not installed) by selecting a patch and clicking Show Node Status.

To view reports for installed patches, perform these steps:

Before you begin

You must be assigned the Super Admin or System Admin role.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Operations > Reports > Audit > Operations Audit.

By default, records for the last seven days are displayed.

Step 2

Click the Filter drop-down and choose Quick Filter or Advanced Filter. Enter the required keyword (for example, 'patch install initiated') to generate a report of installed patches.