Solved: ACS 5.8 to ISE 2.2 Migration Bug Discovered

chrisholcomb · ‎06-08-2017

I migrated our ACS 5.8 system over to ISE 2.2. We migrated our Tacacs device authentication policies into ISE. Both the authentication and authorization polices were migrated successfully and I was able to test device authentication with no issues. Until I reloaded the primary Admin node, which removed the authentication policies. Turns out the authentication policies were there in the live database but were lost on a reload. Also the policies were not being backed up to be able restore to an ISE 2.1 version to get around the bug.

So, my question is: I have ISE 2.2 installed on VMs. How can I re-install/replace ISE 2.1 on top of our VM ISE 2.2 system without recreating the VM with the 2.1 OVA file? Has anyone had to back out a current version of ISE to an earlier version? Can I just install the 2.1 ISO image on the VM?

Thanks,

Chris

kthiruve · ‎06-08-2017

ISE does not support downgrade if that is what you are asking.

If this is a production environment you can open a TAC case and open a defect through them.

Is it done on a standalone ISE node? With policy set mode enabled?

Are you running ISE 2.2 patch 1 or just ISE 2.2.

Also what patch level you are using in ACS 5.8.

Is this ACS 5.8 a standalone one or primary with secondary’s ? Like to know more about the topology.

-Krishnan

View solution in original post

kthiruve · ‎06-08-2017

ISE does not support downgrade if that is what you are asking.

If this is a production environment you can open a TAC case and open a defect through them.

Is it done on a standalone ISE node? With policy set mode enabled?

Are you running ISE 2.2 patch 1 or just ISE 2.2.

Also what patch level you are using in ACS 5.8.

Is this ACS 5.8 a standalone one or primary with secondary’s ? Like to know more about the topology.

-Krishnan

chrisholcomb · ‎06-08-2017

Thanks for the reply, I was asking about the downgrade. So, it looks like I will be doing a re-install then.

Documented as bug CSCve59500 - ACS 5 to ISE 2.2 migration authorization policy issue.

It is done to a standalone ISE VM node as the migration/installation documentation instructed.

Problem occurs on ISE 2.2 with or without Patch 1 applied. Tested on both.

Our ACS is 5.8.0.32.7. We are running Primary and Secondary VMs for both ACS and ISE.

Action plan now is to re-install using ISE 2.1 with Patch 3 applied. Then run the ACS 5.8 to ISE 2.1 migration program again and hope the policies stay in the database after a reload. If successfully, I will then upgrade software ISE 2.1-Patch3 to 2.2 version and test again with reload. I'll then will install 2.2 Patch 1 and test again.

Hoping this works we have a large number of policies that I don't want to have to manually key into ISE.

Chris

kthiruve · ‎06-08-2017

Thanks for forwarding the defect ID. I have reached out to Engineering on this.

Please let me know if this works with ISE 2.1.

-Krishnan

chrisholcomb · ‎06-08-2017

Krishnan, what is the best way to re-install ISE 2.1 on to our VM running ISE 2.2. Can i do this from 2.2 CLI using application commands and the repository? Or do i have to do a full re-install of the ISE 2.1 ISO image from the VM client? Any tips on doing this will be much appreciated. I'm trying to do the re-install with the least amount of effort and hoping to keep some of the settings so as to not start over from beginning.

Chris

Jason Kunst · ‎06-08-2017

there is no way to downgrade, what you said before of installing 2.1 with latest patch, migrating ACS over will work fine to validate. Then you will upgrade to 2.2 and the install latest patch and validate again

Make sure to work through troubleshooting and bugs with the TAC.