Cisco ISE 3.0 Redhat KVM Install - Database Priming Failed

ferriterj1 · ‎05-26-2021

Hello!

I've recently tried to install Cisco ISE 3.0 on a Scale HC3 cluster which is a RedHat KVM-based system but am experiencing some issues. I wanted to go through the evaluation to see if ISE could even run on this platform.

I've created the VM with 4 cores, 16GB of RAM, and a 500GB disk. The installation seems to go smoothly.

I input the IP, subnet, gateway, nameservers, domain and it pings the necessary components during install no problem.

However, when I get to the Database Priming, I am constantly getting a "Database Priming Failed!" error message. The error message even continues after an "application reset-config ise". I've also just continued with the install, but when I do so, the application server is stuck in initializing and I get a "connection refused" message while trying to access the web GUI.

I believe this might have something to do with the database priming constantly failing, but I'm not sure.

I've deleted and reinstalled the VM many times with the same issue. I've redownloaded the .ISO constantly as well.

I've asked support at Scale to see if it's even possible to install on the platform, and one of the support engineers was able to install ISE 3.0 on their cluster and access the GUI with no problem.

Is there anything, in particular, that would cause this "database priming" issue on my setup but not the support engineer who is running the same cluster?

Thank you for all of your help!

marce1000 · ‎05-26-2021

- From the cisco viewpoint it does not seem supported :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/release_notes/b_ise_30_rn.html#concept_ADD2FA0C156341BCA7E29A18F08F9519

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/release_notes/b_ise_30_rn.html#id_64711

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ferriterj1 · ‎05-27-2021

From your link "KVM on QEMU 1.5.3-160" is listed as a supported platform. This is what the Scale HC3 platform is.

marce1000 · ‎05-27-2021

- FYI : https://community.cisco.com/t5/network-access-control/error-database-priming-failed/td-p/2591712

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ferriterj1 · ‎05-27-2021

Thanks for replying Marce!

There is a correct DNS entry for the machine in our DNS.

I can do nslookups from the ISE VM and they resolve correctly using the given nameserver.

marce1000 · ‎05-27-2021

- Have a look at show logging system ade/ADE.log , possibly for more info. show logging system will show a list of a log files which can be examined accordingly.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ferriterj1 · ‎05-27-2021

Thanks again Marce!

Combing through those logs I do see interesting entries about the database not being able to be logged into.

I also noticed that in the attached screenshot with "Database Priming Failed", the time wasn't set correctly even though NTP information was given prior to the database priming happening. Could that possibly be a factor? If so, how do I get the NTP to take effect before the database priming happens?

Later on, in the logs, it seems that the correct NTP information is taken as the time changes from 13:xx:xx to the correct time of 8:xx:xx, but this is AFTER the database priming takes effect and fails.

Thank you! If attaching screenshots like this isn't the best way to show pictures in this forum, please let me know!

marce1000 · ‎05-28-2021

>...If so, how do I get the NTP to take effect before the database priming happens

Difficult to comment on , I would for instance make sure that the NTP configuration is OK and working on the parent-Redhat host.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

lrojaslo · ‎05-28-2021

There is an issue currently under investigation about this behavior, that when you enter domain/subdomain with only numbers it causes database priming error.

Try using domain/subdomain with numbers and letters or only letters.

ferriterj1 · ‎05-28-2021

Are you saying during set up when it asks for DNS domain?

Or when giving nameservers? I did give only ip addresses for name servers. Should I try domain/ip?

lrojaslo · ‎05-31-2021

on DNS domain name.

Also make sure of the following:

* Make sure revers DNS is working fine for the hostname/FQDN of the ISE node (this should be case sensitive to avoid issues).

* When doing reset-config, choose to not keep system certs.

If you still have issues, I would advise to open a TAC case.

ferriterj1 · ‎06-01-2021

Thank you for the response!

Just wondering, for the DNS domain name, ours is xxx.local. Should I be inputting it a different way?

Reverse look-ups are working fine for the FQDN of the node.

I'm trying to evaluate ISE to see if it's something I want my district to purchase. TAC will not help me in this instance correct?

lrojaslo · ‎06-01-2021

domain name is fine with that format.

you should receive assistance from TAC even for evaluation.

thomas · ‎06-01-2021

ISE 3.0 requires a minimum of a 3515 which is 6 cores - not 4 - so your install would be Unsupported.

See ISE Hardware Platforms for hardware minimums.

ferriterj1 · ‎06-02-2021

Hey Thomas, thanks for replying!

No luck. Created a new VM with those specs and still get the database priming failed error.

TAC also won't help, as stated above, because I don't have a service contract with ISE. So I'm in a rough spot with this evaluation of ISE so far...