Install latest patch

Software patch upgrade

You can upgrade to a new Cisco ISE release with or without a patch for that release. If you have already installed a patch for your Cisco ISE release, you can use the Patch option to upgrade only the patch in your current release.

You can choose the full upgrade or split upgrade option for a patch upgrade.

Full Upgrade: Full upgrade is a multistep process that enables a complete patch upgrade of all the nodes in your Cisco ISE deployment at the same time.

This method will upgrade the deployment in lesser time when compared to the split upgrade process. The application services will be down during this upgrade process because all nodes are upgraded parallelly.
Split Upgrade: Split upgrade is a multistep process that enables the patch upgrade of your Cisco ISE deployment while allowing services to remain available during the upgrade process.

This method allows you to choose the Cisco ISE nodes to be upgraded. In the split upgrade workflow, the prechecks and patch upgrade happens when the system is up and running, reducing the downtime considerably, and leading to a reliable upgrade.

Note

The Install option is disabled in the Administration > System > Maintenance > Installed Patches page when you use the Full Upgrade or Split Upgrade option in the Upgrade & Rollback page. When you use the Install option in the Installed Patches page, Full Upgrade and Split Upgrade options are disabled in the Upgrade & Rollback page.

Upgrade patch using Full upgrade option

Full upgrade is a multistep process that enables a complete upgrade of your Cisco ISE deployment.

To perform a patch upgrade using the Full upgrade option:

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Upgrade & Rollback .

Step 2

In the Upgrade & Rollback page, click Upgrade.

Step 3

Click Patch.

Step 4

Click Full.

Step 5

Click Initialize.

Step 6

Click Let’s Do It in the Welcome page to start the upgrade workflow.

The Prerequisite Checks page is displayed.

Step 7

Under How do you want to fetch Patch Bundle?, choose one of the following options:

Choose from Repository: Allows you to upload a patch upgrade file from a repository or your local disk. From the Patch drop-down list, choose the patch upgrade bundle.
Upload Now: Allows you to choose or drag and drop a file from your local disk. You can upload only .tar files and the maximum file size allowed is 4 GB.

Step 8

Click Start Preparation.

Cisco ISE validates all the prerequisites for the selected workflow and generates a report for your deployment.

Cisco ISE checks the following during the patch upgrade process:


Precheck List	Description
Repository Validation	Checks whether a repository is configured for all the nodes.
Patch Bundle Download	Checks whether the patch bundle is downloaded.
Deployment Validation	Checks the state of the deployment node (whether it is in sync or in progress).
System Certificate Validation	Checks the system certificate validation for each node.
Admin Certificate Check in Trust Store	Checks whether the admin certificate is present in the trust store.
Services or Process Failures	Checks the state of the service or application (whether it is running or in failed state).
PAN Failover Validation	Checks whether PAN HA is disabled or not for the deployment.

If any of the checks failed, resolve the issues, and click Refresh Failed Checks to rerun the checks.

The generated report is valid for 3 hours. You must install your patch within that period.

Step 9

Click Next to proceed to the Upgrade Nodes page.

Step 10

Click Start in the Upgrade Nodes page.

In the Upgrade Nodes page, you can see the overall upgrade progress and the status for each node in your deployment.

Upgrade progress of the primary PAN can be monitored from the secondary PAN. You can monitor the upgrade process of the the secondary PAN from the primary PAN.

If you are using the CLI to install the patch, you cannot use this upgrade wizard to initiate or track the upgrade process.

Step 11

Click Next in the Upgrade Nodes page to check whether all the nodes are upgraded successfully.

After the upgrade process is completed, you can view and download the diagnostic upgrade reports for your deployment in the Summary page.

Step 12

Click Finish to exit the wizard.

You can verify and download the upgrade summary reports with relevant details.

Patch upgrade using Split upgrade option

Split upgrade is a multistep process that enables the patch upgrade of your Cisco ISE deployment while allowing other services to be available for users. The downtime can be limited in a split upgrade by dividing the nodes into batches and iterating the upgrade for each batch. However, this process might take longer than a full upgrade.

Follow these steps to upgrade a patch using the Split upgrade option.

Procedure

Step 1

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Upgrade & Rollback.

Step 2

In the Upgrade & Rollback page, click Upgrade.

Step 3

Click Patch.

Step 4

Click Split.

Step 5

Click Initialize.

Step 6

Click Let’s Do It in the Welcome page to start the upgrade workflow.

Step 7

In the Select Nodes page, check the check boxes next to the nodes that you want to upgrade in the current iteration.

Note

Primary PAN will be selected by default in the first iteration of patch upgrade. You can select multiple PSN nodes and the primary or secondary MnT node along with the primary PAN. However, you cannot include the secondary PAN and both the MnT nodes in the first iteration.
The first iteration happens in two batches if nodes other than the primary PAN are selected in the first iteration. The primary PAN is upgraded in the first batch, followed by the simultaneous upgrade of the rest of the nodes that are selected as part of the first iteration.
It is recommended that you select a maximum of 16 nodes per iteration during the split upgrade process.

Step 8

Click Next.

The Prerequisite Checks page is displayed.

Step 9

Under How do you want to fetch Patch Bundle?, choose one of the following options:

Choose from Repository: Allows you to upload a patch upgrade file from a repository or your local disk. From the Patch drop-down list, choose the patch upgrade bundle.
Upload Now: Allows you to choose or drag and drop a file from your local disk. You can upload only .tar files and the maximum file size allowed is 4 GB.

Step 10

Click Start Preparation.

Cisco ISE validates all the prerequisites and generates a report for your deployment.

Cisco ISE checks the following during the upgrade process:


Precheck List	Description
Repository Validation	Checks whether a repository is configured for all the nodes.
Patch Bundle Download	Checks whether the patch bundle is downloaded.
Deployment Validation	Checks the state of the deployment node (whether it is in sync or in progress).
Admin Certificate Check in Trust Store	Checks whether the admin certificate is present in the trust store.
System Certificate Validation	Checks the system certificate validation for each node.
Services or Process Failures	Checks the state of the service or application (whether it is running or in failed state).
PAN Failover Validation	Checks whether PAN HA is disabled or not for the deployment.

Click the Expand to Show icon to see additional information about each node and its status.

Click the Information icon to see more information about each component.

The generated report is valid for 3 hours. You must install your patch within that period.

Local prechecks (Repository Validation, Bundle Download, System Certificate Validation, and Services or Process Failures) are run on all the nodes during the first iteration. However, in the subsequent iterations, these checks are run only on the selected nodes.

Step 11

If any of the checks failed, resolve the issues, and click Refresh Failed Checks to rerun the checks.

Step 12

Click Next to proceed to the Upgrade Nodes page.

Step 13

Click Start in the Upgrade Nodes page.

In the Upgrade Nodes page, you can see the overall upgrade progress and the status for each node in your deployment.

Upgrade progress of the primary PAN can be monitored from the secondary PAN. You can monitor the upgrade process of the secondary PAN from the primary PAN.

If you are using the CLI to install the patch, you cannot use this upgrade wizard to initiate or track the upgrade process.

Step 14

Click Next in the Upgrade Nodes page to check whether all the nodes are upgraded successfully.

After the upgrade process is completed, you can view and download the diagnostic upgrade reports for your deployment in the Summary page.

Step 15

Click Finish in the Summary page.

You are redirected to the Node Selection page, so that you can select the nodes for the next iteration.

After the upgrade process is completed, you can view and download the diagnostic upgrade reports for your deployment in the Summary page.

Roll back software patches

Perform the following steps to roll back a patch:

Procedure

Step 1	In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Upgrade & Rollback.
Step 2	Click Patch Rollback. The patch rollback version is displayed.
Step 3	Click Initialize.
Step 4	Click Let’s Do It in the Welcome page to start the rollback workflow.
Step 5	In the Prerequisite Checks page, click Start Preparation. Cisco ISE validates all the prerequisites and generates a report for your deployment.
Step 6	(Optional) Click Download Report to download the prerequisite checklist for your reference.
Step 7	If any of the checks failed, rectify the issue, and click Refresh Failed Checks to rerun the checks.
Step 8	Click Next.
Step 9	In the Rollback Nodes page, click Start Rollback. Rollback is performed on all the nodes in the deployment parallelly except the primary PAN. After the rollback is completed on all other nodes, rollback is performed on the primary PAN. You can view the overall rollback progress and the status of each node in the Rollback Nodes page. Rollback progress can be monitored from the secondary PAN while the primary PAN is rolled back. You can monitor the rollback process from the primary PAN while the secondary PAN is rolled back.
Step 10	Click Next. After the rollback process is completed, you can view and download the diagnostic reports for your deployment in the Summary page.
Step 11	Click Finish to exit the wizard.

Note

If you have used the Install option in the Administration > System > Maintenance > Patch Management page for Cisco ISE Release 3.4 Patch 1 upgrade, it is recommended that you use only the Rollback option in the Patch Management page instead of the Patch Rollback option in the Upgrade & Rollback page.

If you have used the Full or Split patch upgrade in the Upgrade & Rollback page for patch upgrade, you can use the Patch Rollback option in the Upgrade & Rollback page.

Cisco Identity Services Engine Upgrade Guide, Release 3.5

Bias-Free Language

Book Title

Cisco Identity Services Engine Upgrade Guide, Release 3.5

Chapter Title