cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1729
Views
27
Helpful
7
Replies

ISE 2.3 to 2.4 issues.

sapage
Level 1
Level 1

I have just upgraded a 4 node cluster from 2.3 to 2.4 and have run into a few issues.

After upgrade which took over 30 hours I can no longer sync nodes as they all report upgrade in process.

If i remove a node from the cluster and try and re-add it I get an error popup with no information.

I am not getting VMware license errors which is to be expected.

Capture.PNG7d8d8e66-fd0c-4fcd-abba-254b41fa1794.pngb0a8e129-8074-4b56-b346-2aa5358a47a5.png911b9b27-a460-4831-ad1d-4a9a45563c78.png

7 Replies 7

sapage
Level 1
Level 1

I have already lodged a TAC before you advise.

sapage
Level 1
Level 1

I just has the security team check and we have our ISE nodes DMZ and found since the upgrade the following ports getting blocked. I have asked them to allow these ports in tonights firewall burn so should know tomorrow.

  • TCP 80
  • TCP 443
  • TCP 1521
  • TCP 12001
  • TCP 7800
  • TCP 6514 << blocked
  • TCP 8910 << blocked
  • TCP 2560 << blocked
  • TCP 5222 << blocked
  • TCP 9300 << blocked
  • UDP 20514
  • TCP 1468
  • TCP 8910

Hi Simon,

Did you use the Upgrade Readiness Tool (URT) before attempting the upgrade?

Regards,

-Tim

I only found out about that tool post install.

hslai
Cisco Employee
Cisco Employee

To me, it does not seem an issue with either those blocked ports or URT. For those blocked ports, they are not essential for the sync operation during an ISE node registration. And, your upgrade went through fine so not an issue URT can help with.

As you already have a TAC case, TAC will help looking at the debug logs and further troubleshooting.

Do you think the upgrade readiness tool would have caught the above issue? I.E.,the installation completed, but there were errors.

sapage
Level 1
Level 1

Hi All,

TAC has been opened for about a month now and seems to have been fixed yesterday. I rebuilt several of the nodes to a fresh 2.4 install and re-added them to a prompted ISE nodes other than the original primary node.

Had several DEV on 3 tac calls looking at the DB and OS layer and they seem to think it was an issue with the OS trying to address a swap file which was to small or something. I have not gotten the final outcome of the tac case but they did say there would be a BugID coming for it.

TLDR; some of the nodes did not upgrade correctly and a rebuild seems to have fixed it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: