cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1130
Views
5
Helpful
3
Replies

ISE 1.3 to 2.0 Upgrade Failure

rick505d3
Level 1
Level 1

Hi,

I have a two nodes (VM) ISE deployment running ISE 1.3 Patch 4. During initial troubleshooting, patch levels have been upgraded to 5 and than 6. Still the outcome remained the same. The error I am getting is on upgrading the very first node as per the upgrade guide, the Secondary Admin Node (SAN). The SAN in this deployment also has SMN and PSN personas. Initially SAN had 1.3 Patch 4. Upgraded both nodes to Patch 5 and than 6, tried again still the same step 53 fails. Rebuild the SAN from ISO, base-config, apply cumulative patch 6 only, add certs and joined it again to PAN, when sync complete and operating normally as a SAN, tried to upgrade it again to 2.0. The same step 53 fails. 

san-ise01/admin# application upgrade prepare ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz local

Getting bundle to local machine...
md5: 50f2800ea2e6ebf55ec9f6d8b5fa1341
sha256: 3632cdb716cad2e5f69e7b45ee48845c5184cd99af9875a0cc5caeec9cbfc779
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? Y
Unbundling Application Package...

Application upgrade preparation successful

san-ise01/admin# application upgrade proceed
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
-Checking VM for minimum hardware requirements
STEP 1: Stopping ISE application...
STEP 2: Verifying files in bundle...
-Internal hash verification passed for bundle
STEP 3: Validating data before upgrade...
STEP 4: De-registering node from current deployment...
STEP 5: Taking backup of the configuration data...
STEP 6: Running ISE configuration database schema upgrade...
- Running db sanity check to fix index corruption, if any...
- Upgrading Schema for UPS Model...
- Upgrading Schema completed for UPS Model.

ISE database schema upgrade completed.
STEP 7: Running ISE configuration data upgrade...
- Data upgrade step 1/62, CertReqMgmtBootstrapService(1.4.0.0)... Done in 1 seconds.
- Data upgrade step 2/62, NSFUpgradeService(1.4.0.110)... Done in 0 seconds.
- Data upgrade step 3/62, NSFUpgradeService(1.4.0.119)... Done in 0 seconds.
- Data upgrade step 4/62, NSFUpgradeService(1.4.0.125)... Done in 0 seconds.
- Data upgrade step 5/62, NSFUpgradeService(1.4.0.157)... Done in 0 seconds.
- Data upgrade step 6/62, GuestAccessUpgradeService(1.4.0.157)... Done in 7 seconds.
- Data upgrade step 7/62, NSFUpgradeService(1.4.0.164)... Done in 0 seconds.
- Data upgrade step 8/62, MDMPartnerUpgradeService(1.4.0.166)... Done in 0 seconds.
- Data upgrade step 9/62, MDMPartnerUpgradeService(1.4.0.167)... Done in 0 seconds.
- Data upgrade step 10/62, ProfilerUpgradeService(1.4.0.175)... Done in 3 seconds.
- Data upgrade step 11/62, CertMgmtUpgradeService(1.4.0.217)... Done in 0 seconds.
- Data upgrade step 12/62, RBACUpgradeService(1.5.0.111)... Done in 7 seconds.
- Data upgrade step 13/62, UPSUpgradeHandler(1.5.0.136)... Done in 3 seconds.
- Data upgrade step 14/62, UPSUpgradeHandler(1.5.0.139)... Done in 0 seconds.
- Data upgrade step 15/62, ANCRegistration(1.5.0.140)... Done in 0 seconds.
- Data upgrade step 16/62, NSFUpgradeService(1.5.0.149)... Done in 5 seconds.
- Data upgrade step 17/62, UPSUpgradeHandler(1.5.0.150)... Done in 1 seconds.
- Data upgrade step 18/62, NetworkAccessUpgrade(1.5.0.151)... Done in 0 seconds.
- Data upgrade step 19/62, UPSUpgradeHandler(1.5.0.156)... Done in 0 seconds.
- Data upgrade step 20/62, NetworkAccessUpgrade(1.5.0.159)... Done in 0 seconds.
- Data upgrade step 21/62, NetworkAccessUpgrade(1.5.0.162)... Done in 0 seconds.
- Data upgrade step 22/62, NSFUpgradeService(1.5.0.180)... Done in 0 seconds.
- Data upgrade step 23/62, NetworkAccessUpgrade(1.5.0.180)... Done in 0 seconds.
- Data upgrade step 24/62, NetworkAccessUpgrade(1.5.0.181)... Done in 0 seconds.
- Data upgrade step 25/62, UPSUpgradeHandler(1.5.0.183)... Done in 0 seconds.
- Data upgrade step 26/62, NSFUpgradeService(1.5.0.184)... Done in 0 seconds.
- Data upgrade step 27/62, UPSUpgradeHandler(1.5.0.187)... Done in 1 seconds.
- Data upgrade step 28/62, RBACUpgradeService(1.5.0.195)... Done in 20 seconds.
- Data upgrade step 29/62, NSFUpgradeService(1.5.0.199)... Done in 0 seconds.
- Data upgrade step 30/62, HostConfigUpgradeService(1.5.0.199)... Done in 3 seconds.
- Data upgrade step 31/62, NetworkAccessUpgrade(1.5.0.201)... Done in 0 seconds.
- Data upgrade step 32/62, NetworkAccessUpgrade(1.5.0.202)... Done in 0 seconds.
- Data upgrade step 33/62, GuestAccessUpgradeService(1.5.0.212)... Done in 1 seconds.
- Data upgrade step 34/62, NSFUpgradeService(1.5.0.234)... Done in 0 seconds.
- Data upgrade step 35/62, UPSUpgradeHandler(1.5.0.244)... Done in 0 seconds.
- Data upgrade step 36/62, NSFUpgradeService(1.5.0.246)... Done in 0 seconds.
- Data upgrade step 37/62, AuthzUpgradeService(1.5.0.252)... Done in 0 seconds.
- Data upgrade step 38/62, NSFUpgradeService(1.5.0.257)... Done in 0 seconds.
- Data upgrade step 39/62, RBACUpgradeService(2.0.0.100)... Done in 42 seconds.
- Data upgrade step 40/62, NetworkAccessUpgrade(2.0.0.131)... Done in 0 seconds.
- Data upgrade step 41/62, RBACUpgradeService(2.0.0.132)... Done in 7 seconds.
- Data upgrade step 42/62, AuthzUpgradeService(2.0.0.151)... Done in 0 seconds.
- Data upgrade step 43/62, AuthenPolicyUpgradeService(2.0.0.151)... Done in 0 seconds.
- Data upgrade step 44/62, NadProfilePolicyElemUpgradeService(2.0.0.151)... Done in 13 seconds.
- Data upgrade step 45/62, RBACUpgradeService(2.0.0.152)... Done in 11 seconds.
- Data upgrade step 46/62, RBACUpgradeService(2.0.0.153)... Done in 17 seconds.
- Data upgrade step 47/62, NetworkAccessUpgrade(2.0.0.154)... Done in 0 seconds.
- Data upgrade step 48/62, NetworkAccessUpgrade(2.0.0.156)... Done in 0 seconds.
- Data upgrade step 49/62, NSFUpgradeService(2.0.0.159)... Done in 0 seconds.
- Data upgrade step 50/62, ProfilerUpgradeService(2.0.0.161)... Done in 1 seconds.
- Data upgrade step 51/62, ProvisioningUpgradeService(2.0.0.166)... Done in 1 seconds.
- Data upgrade step 52/62, CADeploymentUpgradeService(2.0.0.190)... Done in 12 seconds.
- Data upgrade step 53/62, NSFUpgradeService(2.0.0.194)... Failed.
Attempting to rollback: Rolling back the configuration database...
Starting application after rollback...

% Manual rollback required: Perform the following steps to revert node to its pre-upgrade state:
-Register this node back to old Primary.
% Application install or upgrade cancelled.

The ISE 2.0 upgrade guide states that ISE 1.3 with any patch level can be directly upgraded to 2.0. Why is this failing than ?

Regards, 

Rick.

3 Replies 3

Hi Rick,

we have the same problem here. Did you find out why it was failing?

Or how do you solved the problem otherwise?

regards wladimir

Hi Wladimir,

Yes, the problems is resolved now. We opened a TAC case and were told that the upgrade is failing because of a missing dictionary attribute for EAP Chaining, although we are not using EAP Chaining feature in the deployment. How it landed in that state, don't know. The TAC advise to confirm the missing attribute was:

Can you please verify in ISE GUI.

1) Go to any authorization policy.

2) Click on Edit.

3) Under conditions , click on Add Attribute/value.

4) Check if the value EapChaining is present under UseCase under Network Access.

The above was true (missing) in our case. We attached a configuration back to the TAC case, Cisco reproduced and fixed the issue in their lab and send back a fix (install root patch, manually insert a record into Oracle db, commit). Not sure if this would be valid for other deployments as the db insert record looks specific to our environment. Please check with TAC on a specific fix for your environment.

Regards, 

Rick.

we hit this Bug:
Upgrade to ISE 2.0 fails due to dynamic assignment in authz profile
CSCux72796
regards,
Wladimir