cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1184
Views
2
Helpful
5
Replies

What are you supposed to do when URT fails?

paul
Level 10
Level 10

I am doing an upgrade from 2.1 to 2.3 doing my normal build fresh then restore.  The restore is failing on:

Data upgrade step 43/60, UPSUpgradeHandler(2.3.0.100)... Failed.

I then removed one of my admin nodes from the 2.1 deployment, made it a standalone node and ran URT test.  It failed at the same spot with no further information:

Data upgrade step 43/60, UPSUpgradeHandler(2.3.0.100)... Failed.

Does that mean we just have to open a TAC case?

Thanks.

1 Accepted Solution

Accepted Solutions

Thanks Hsing and Jason. Let me confirm my thinking with you.

I have done probably 40-50 fresh builds/restores since 1.0 with no issues up to and including 2.2. 2.3 is the only version I have issues with and 2.3 is the only version introduces with a URT. So all the issues have to be with the policy set conversion right?

I think I know what the issue may be. Because the Context Visibility->Endpoints screen doesn’t show the Authorization Profile we got in the habit of covering the default rule at the bottom of our policy sets with a rule with a better name than “Default”. Covering the default rule with no conditions is not allowed in 2.3. So my guess is it is probably bombing out on that conversion. That was mentioned in the other discussion as well.

Is my thinking correct? The issue really has to be in the policy sets.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee

Yes you have to have them engage development and fix the issue

hslai
Cisco Employee
Cisco Employee

This depends on the errors. For example, Upgrade to ise 2.3 failed ran into some issues with policy set upgrade and we changed the policy rules based on the errors.

Thanks Hsing and Jason. Let me confirm my thinking with you.

I have done probably 40-50 fresh builds/restores since 1.0 with no issues up to and including 2.2. 2.3 is the only version I have issues with and 2.3 is the only version introduces with a URT. So all the issues have to be with the policy set conversion right?

I think I know what the issue may be. Because the Context Visibility->Endpoints screen doesn’t show the Authorization Profile we got in the habit of covering the default rule at the bottom of our policy sets with a rule with a better name than “Default”. Covering the default rule with no conditions is not allowed in 2.3. So my guess is it is probably bombing out on that conversion. That was mentioned in the other discussion as well.

Is my thinking correct? The issue really has to be in the policy sets.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

hslai
Cisco Employee
Cisco Employee

Yes, you are in the right track. The 2.3 upgrade will try converting the legacy policies and policy sets into separate policy sets and that can run into problems as shown in the older thread.

Just to follow up on this.  The issue turned out to be two fold:

I had rules with no conditions that covered the default rule in some of my policy sets.

I also, like a good ISE installer, had authentication and authorization simple conditions with the name EAP-TLS created.  ISE 2.3 adds that condition in by default and can't handle that you have them in the config.  I had to rename them to something else to get the URT to work.

<rant> Honestly this URT is terrible.  Why build a tool that gives no meaningful output that requires TAC to debug the log output.  This is basic error handling you load in coding class.  </rant>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: