05-26-2016 10:48 AM
I have a customer that performed the ISE 2.0 to 2.0.1 upgrade process and the final server upgrade failed and was stuck in a hung state; unable to access the server or complete upon a reboot.
Initial state:
SITE 01
ISE SERVER 01 - PAN (Primary) - 2.0
ISE SERVER 02 - MNT (Primary) - 2.0
ISE SERVER 03 - PSN - 2.0
SITE 02
ISE SERVER 04 - PAN (Secondary) - 2.0
ISE SERVER 05 - MNT (Secondary) - 2.0
ISE SERVER 06 - PSN - 2.0
Upgrade Order Set To:
ISE SERVER 04 - PAN (Secondary)
ISE SERVER 02 - MNT (Primary)
ISE SERVER 03 - PSN
ISE SERVER 06 - PSN
ISE SERVER 05 - MNT (Secondary)
ISE SERVER 01 - PAN (Primary)
Upgrade Status:
ISE SERVER 04 - PAN (Secondary) > Successful > 2.0.1 > PAN (Primary)
ISE SERVER 02 - MNT (Primary) > Successful > 2.0.1 > MNT (Primary)
ISE SERVER 03 - PSN > Successful > 2.0.1 > PSN
ISE SERVER 06 - PSN > Successful > 2.0.1 > PSN
ISE SERVER 05 - MNT (Secondary) > Successful > 2.0.1 > MNT (Secondary)
ISE SERVER 01 - PAN (Primary) > FAILED > Not upgraded > System Hung
So, after customer tried to recover the server and failing, they decided to rebuild the server directly as a 2.0.1 build.
Now, when they try to log in to the NEW PAN and add the rebuilt server to the Deployment it fails. They've reloaded the previous certificates to the server, but they still get the following error.
ERROR:
Unable to authenticate ISE SERVER 01. Please check server and CA certificate configuration and make sure “trust for authentication within ISE” option is selected.
Any ideas on why they may not be able to get it added to the new 2.0.1 upgraded deployment?
Thanks,
Damon
Solved! Go to Solution.
05-27-2016 04:06 AM
Damon, easiest way is to add each of the server public certificates into other nodes CA store. So get new PAN cert add it to re-built server, get certificate from re-built server and import into new PAN CA store and try add process. If it still fails, I suggest opening up a TAC case.
05-27-2016 04:06 AM
Damon, easiest way is to add each of the server public certificates into other nodes CA store. So get new PAN cert add it to re-built server, get certificate from re-built server and import into new PAN CA store and try add process. If it still fails, I suggest opening up a TAC case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide