Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
4
Helpful
4
Replies

Patching ISE? UI or CLI?

Go to solution
adamscottmaster2013
Level 3
Level 3

‎01-04-2024 04:43 AM

I have a 4 nodes ISE 3.2 patch-4 cluster:
node1: Primary Admin/Primary MNT
node2: Secondary Admin/Secondary MNT
node3: PSN
node4: PSN

what is the best way to patch these nodes going forward to patch-5 and beyond? I am getting
different answers from Cisco TAC. One TAC engineer recommenend that I use the UI in node1 to
do the patching and another engineer recommended the CLI:

- patch node1 via CLI, wait for the node to be rebooted and back into the cluster,
- patch node3 via CLI, wait for the node to be rebooted and back into the cluster,
- patch node4 via CLI, wait for the node to be rebooted and back into the cluster,
- patch node2 via CLI, wait for the node to be rebooted and back into the cluster,

I've seen in multiple situations that using the UI is NOT very reliable because after node1
got patched, node2...node4 did not get patched.

What is the best and support way to patch my ISE cluster? Also is the CLI sequence of patching correct?

TIA

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎01-04-2024 05:38 AM

CLI, much easier to monitor/control.  The CLI gives you progress output that the GUI does not.

View solution in original post

Go to solution
ahollifield
VIP
VIP
In response to adamscottmaster2013

‎01-04-2024 08:03 AM

Start with Primary Admin Node.  After that the order doesn't matter, whatever is best for your individual deployment's HA strategy

View solution in original post

Go to solution
PradeepSingh
Level 1
Level 1

‎01-04-2024 09:34 AM

Agree to @ahollifield CLI gives better control. Although initiating from GUI is easiest, but you don't have such monitor and control.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎01-04-2024 05:38 AM

CLI, much easier to monitor/control.  The CLI gives you progress output that the GUI does not.

Go to solution
adamscottmaster2013
Level 3
Level 3
In response to ahollifield

‎01-04-2024 07:20 AM

In my scenario, what would be the correct sequence?

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to adamscottmaster2013

‎01-04-2024 08:03 AM

Start with Primary Admin Node.  After that the order doesn't matter, whatever is best for your individual deployment's HA strategy

Go to solution
PradeepSingh
Level 1
Level 1

‎01-04-2024 09:34 AM

Agree to @ahollifield CLI gives better control. Although initiating from GUI is easiest, but you don't have such monitor and control.

0 Helpful
Customers Also Viewed These Support Documents