cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3064
Views
7
Helpful
3
Replies

ISE 2.3 and 2.4 urt bundle and upgrade tests failed ...

Hey, folks.

I have problems upgrading ISE from v2.2 (latest patch 7) to any of the new versions like 2.3 or even 2.4 ....

Until now I have tried the following things:

1. Ran urt bundles (both 2.3 and 2.4) on the secondary admin node to test

-> app install ise-urtbundle-2.4.0.357-1.0.0.SPA.x86_64.tar.gz REPO_localdisk

Both urt bundles fail at the same point:

# app install ise-urtbundle-2.4.0.357-1.0.0.SPA.x86_64.tar.gz REPO_localdisk

Save the current ADE-OS running configuration? (yes/no) [yes] ?

Generating configuration...

Saved the ADE-OS running configuration to startup successfully

Getting bundle to local machine...

Unbundling Application Package...

Verifying Application Signature...

Initiating Application Install...

###########################################

# Installing Upgrade Readiness Tool (URT) #

###########################################

Checking ISE version compatibility

- Successful

Checking ISE persona

- Successful

Along with Administration, other services (MNT) are enabled on this node. Installing and running URT might consume additional resources.

Do you want to proceed with installing and running URT now (y/n):y

Checking if URT is recent(<45 days old)

- Successful

Installing URT bundle

- Successful

########################################

# Running Upgrade Readiness Tool (URT) #

########################################

This tool will perform following tasks:

1. Pre-requisite checks

2. Clone config database

3. Copy upgrade files

4. Data upgrade on cloned database

5. Time estimate for upgrade

Pre-requisite checks

====================

Disk Space sanity check

- Successful

NTP sanity

- Successful

Appliance/VM compatibility

- Successful

Trust Cert Validation

- Successful

System Cert Validation

- Successful

Invalid MDMServerNames in Authorization Policies check

- Successful

6 out of 6 pre-requisite checks passed

Clone config database

=====================

[########################################] 100%  Successful

Copy upgrade files

==================

- N/A

Data upgrade on cloned database

===============================

Modifying upgrade scripts to run on cloned database

- Successful

Running schema upgrade on cloned database

- Running db sanity to check and fix if any index corruption

- Auto Upgrading Schema for UPS Model

- Upgrading Schema completed for UPS Model

- Successful

Running sanity after schema upgrade on cloned database

- Successful

Running data upgrade on cloned database

- Data upgrade step 1/43, UPSUpgradeHandler(2.3.0.100)... Failed.

- Failed

Final cleanup before exiting...

2. I have installed each of the versions from scratch in the lab and tried to restore a backup I took from the 2.2 production deployment

-> Restore fails in both versions at the same point:

Initiating restore.  Please wait...

% restore in progress: Starting Restore...10% completed

% restore in progress: Retrieving backup file from Repository...20% completed

% restore in progress: Decrypting backup data...25% completed

% restore in progress: Extracting backup data...30% completed

Leaving the currently connected AD domain

Please rejoin the AD domain from the administrative GUI

% restore in progress: Stopping ISE processes required for restore...35% completed

Cleaning up TC-NAC docker configuration...

% restore in progress: Restoring ISE configuration database...40% completed

% restore in progress: Adjusting host data for upgrade...60% completed

UPGRADE STEP 1: Running ISE configuration database schema upgrade...

- Running db sanity to check and fix if any index corruption

- Auto Upgrading Schema for UPS Model

- Upgrading Schema completed for UPS Model

UPGRADE STEP 2: Running ISE configuration data upgrade...

- Data upgrade step 1/43, UPSUpgradeHandler(2.3.0.100)... Failed.

% Error: ISE Global data upgrade failed!

                                        

I have searched and read all of the other entries in the communities and the supportforums, but I do not understand exactly, what the guys mean by it, example:

Re: What are you supposed to do when URT fails?

Also found a bug related to my problem:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg13303/?rfs=iqvred

but since I try to upgrade to 2.4 also, does not make any sense to me ...

I have not yet opened a TAC for this ......


Any ideas what else I could try ???


Rgs

Frank


Answer to hslai:

Seems that I cannot submit any answers .... site throws some red errors ... strange !!!


maybe here then ..:


Hi,

I just installed GnuPG and took a look at the log files, found this in the fist file I looked at (dbupgrade-data-global-xxxx):

@@@ PsUpgrade: info- :cleanDB done.

@@@ PsUpgrade: info- :Checking whether to init PAL...

@@@ PsUpgrade: info- :Upgrade Config says - initPal flag:.true

@@@ PsUpgrade: info- :Starting PalCore...

@@@ PsUpgrade: error- :Failed to init PAL

com.cisco.cpm.policy.pal.PalException: Failed to create Tacacs elements

Any idea, what this might mean ???

FYI, TACACS is not running on the deployment .....

Rgs

Frank

3 Replies 3

hslai
Cisco Employee
Cisco Employee

If you provided an encryption passphrase yourself while generating the log bundle, then you should be able to decrypt the bundle yourself if you have GnuPG installed on your PC/Mac. Otherwise, you would need TAC to help checking on the log files.

CSCvg13303 is specific to "Data upgrade step 1/18, UPSUpgradeHandler(2.3.0.100)" whereas your error is "Data upgrade step 1/43" so it does not seem the same issue.

Hi,

I just installed GnuPG and took a look at the log files, found this in the fist file I looked at (dbupgrade-data-global-xxxx):

@@@ PsUpgrade: info- :cleanDB done.

@@@ PsUpgrade: info- :Checking whether to init PAL...

@@@ PsUpgrade: info- :Upgrade Config says - initPal flag:.true

@@@ PsUpgrade: info- :Starting PalCore...

@@@ PsUpgrade: error- :Failed to init PAL

com.cisco.cpm.policy.pal.PalException: Failed to create Tacacs elements

Any idea, what this might mean ???

FYI, TACACS is not running on the deployment .....

Rgs

Frank

Go to ISE admin web UI > Work Centers > Device Administration > Policy Elements > Results.

Under TACACS Command Sets, anything other than DenyAllCommands there? If yes, you may consider deleting them.

Under TACACS Profiles, anything other than "Default Shell Profile", "Deny All Shell Profile", "WLC ALL", "WLC MONITOR"? Delete anything extra.

If that does not help, please open a TAC case and provide a copy of your ISE CFG backup to TAC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: