Cisco software patches
Cisco software patches are always cumulative. You can perform patch installation and rollback using these options:
-
Patch installation from Primary PAN: Patches are installed on Cisco servers in your deployment starting from the Primary PAN. To install a patch from the Primary PAN, download the patch file from Cisco.com to the system running your client browser.
-
Patch installation using the GUI: When installing a patch using the GUI, the system installs the patch on the Primary PAN first. It then installs the patch on the remaining nodes in the deployment following the order displayed in the GUI, which cannot be changed. You can also manually install patches, roll back patches, and view patch versions by navigating to this path in the Cisco ISE GUI:
-
Using the CLI: Installing patches from the CLI allows you to control the update order of nodes. It is recommended to install the patch on the Primary PAN first, but the order for other nodes is flexible. You can install patches on multiple nodes simultaneously to expedite the process. To install a patch on specific nodes for validation before upgrading the entire deployment, use the CLI command:
patch install <patch_bundle> <repository_that_stores_patch_file>
For more information, see "Install Patch" in the "Cisco ISE CLI Commands in EXEC Mode" chapter in the .
You can install the required patch version directly. For example, if you are using Cisco ISE release 3.x and want to install patch 5, you can install patch 5 without installing patches 1 through 4.
To view the current patch version in the CLI, use this command:
show version
Software patch installation guidelines
-
When you install a patch on a Cisco ISE node, the node will reboot after the installation completes. You may need to wait a few minutes before you can log in again. Schedule patch installations during maintenance windows to minimize service disruption.
-
Ensure that the patch you install is compatible with the Cisco version deployed in your network. Cisco will report any version mismatches or errors in the patch file.
-
You cannot install a patch with a version lower than the currently installed patch on Cisco . Similarly, rolling back to a lower-version patch is not allowed if a higher version is installed. For example, if patch 3 is installed, you cannot install or roll back to patch 1 or 2.
-
In a distributed deployment, when installing a patch from the Primary PAN, Cisco ISE installs the patch on the primary node first, then proceeds to the secondary nodes. If the patch installation succeeds on the Primary PAN, the process continues on the secondary nodes. If it fails on the Primary PAN, installation does not proceed to secondary nodes. If installation fails on any secondary node, the process continues with the next secondary node.
-
In a two-node deployment, Cisco installs the patch from the Primary PAN on the primary node first and then on the secondary node. If installation fails on the Primary PAN, it does not proceed to the secondary node.
Install a software patch
Before you begin
-
You must be assigned the Super Admin or System Admin role.
-
Go to and ensure that the Enable PAN Auto Failover check box is unchecked. The PAN auto-failover configuration must be disabled for the duration of this task.
Procedure
|
Step 1 |
Choose > Install. |
|
Step 2 |
Click Browse and choose the patch that you downloaded from Cisco.com. |
|
Step 3 |
Click Install to install the patch. After the patch is installed on the PAN, Cisco logs you out. You must wait a few minutes before logging in again. When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page. |
|
Step 4 |
Click the radio button next to the patch that you have installed. Click Show Node Status to verify installation is complete. |
Feedback