06-03-2018 11:51 PM - edited 02-21-2020 10:57 AM
Hi all, in upgrade process from 2.3 to 2.4 I have this error in Context Visibility:
Unable to load Context Visibility page. Ensure that full certificate chain of admin certificate is installed on Administration->System->Certificates->Trust
ed Certificates. If not, install them and restart application services. Exception: None of the configured nodes are available: [{#transport#-1}{tFtNsZVgRSWNBQkBtiOBOQ}{ise.domain.com}{10.12.12.12:9300
}]
I have deleted all certificates and I have reloaded them with their entire chain but the error still appears.
It seens a bug in older versions but not in 2.4
Any one can help me?
Solved! Go to Solution.
06-27-2018 12:17 AM - edited 06-27-2018 12:18 AM
All certificate chain was uploaded to all ISE nodes. Finally I opened a TAC case and the solution was to go back to version ISE 2.3.
06-04-2018 03:20 PM
I have not upgraded to ISE 2.4 yet (still on 2.3). I would like to know how you built your deployment. When you registered additional nodes to your PRIMARY PAN, did those additional nodes have their Admin role certificates generated from the same CA as the Primary PAN?
e.g. I have a case where all of my nodes have an individually created cert from our enterprise PKI (Root->Intermediate->Issuing CA - 3 levels deep). After installing the .iso from fresh I always install all 3 CA certs in the Trusted Certs store. Then I install the Admin role cert on each server. I then designate one server as the Primary PAN and register all the others to it. This has always worked in ISE 2.2 and ISE 2.3 so far and it's one way of registering a deployment. But if you're saying that this breaks when upgrading to ISE 2.4 then I am concerned.
06-27-2018 12:17 AM - edited 06-27-2018 12:18 AM
All certificate chain was uploaded to all ISE nodes. Finally I opened a TAC case and the solution was to go back to version ISE 2.3.
09-03-2018 03:53 AM
Got the same issue, and after applying patch 2 ... still the same... I'm glad it test environment.
09-03-2018 04:51 AM
Sorry to hear you had to go back to 2.3
The official upgrade process may have messed things up. I would not give up though. Are you able to build a fresh 2.4 node from the OVA/ISO and then restore the 2.3 config backup onto it? That's how I would approach an "upgrade".
If the 2.3 database is so corrupted then it might be best to build a new 2.4 deployment and reconfigure what you need. ISE 2.4 promised us the import Policy Set feature (we can already export Policy Sets as XML) - now if that were possible then you'd have a nice clean way to get the bulk of the logic migrated.
You can already import Network Device Groups and Radius Dictionaries and of course Network Access Devices (NAD's) - that can be a big chunk of config imported into the new deployment, instead of potentially importing a load of garbage into your new nodes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide