Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1089
Views
0
Helpful
3
Replies

ISE 2.2 -> 2.4 URT fails at Data upgrade step 1/43, UPSUpgradeHandler

Go to solution
Filip Po
Level 1
Level 1

‎07-19-2019 05:03 AM - edited ‎07-19-2019 05:09 AM

Hello,

URT test fails on ISE 2.2 Patch 14.
Can anybody read the log and tell me, what is wrong in the First Rule of Policy Set?

 

Running data upgrade on cloned database
- Data upgrade step 1/43, UPSUpgradeHandler(2.3.0.100)... Failed.
- Failed

 

Condition:Snímka obrazovky 2019-07-19 o 14.06.08.png

 

@@@ PsUpgrade:	debug- : Found allow value for Network Access:Protocol0:RADIUS
@@@ PsUpgrade:	warn- :Couldn't buildConditionDataForNameValue for: lhsAttrId:DEVICE.Device Type rhsString:null:Device Type#All Device Types#ASA FW, Will try to build it from rhs value
com.cisco.cpm.policy.pal.PalException: Value for attribute is not a permitted option
	at com.cisco.cpm.policy.pal.policyCondition.ConditionsData.validateAllowedValues(ConditionsData.java:545)
	at com.cisco.cpm.policy.pal.policyCondition.ConditionsData.initSimple(ConditionsData.java:438)
	at com.cisco.cpm.policy.pal.policyCondition.ConditionsData.<init>(ConditionsData.java:299)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgradeUtil.buildConditionDataForNameValue(PolicyUpgradeUtil.java:947)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradeNetAccessRuleBuilder.buildConditionDataClauseSimple(UpgradeNetAccessRuleBuilder.java:152)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradeNetAccessRuleBuilder.buildConditionDataClauses(UpgradeNetAccessRuleBuilder.java:99)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradeNetAccessRuleBuilder.buildRuleConditionData(UpgradeNetAccessRuleBuilder.java:70)
	at com.cisco.cpm.policy.configuration.upgrade.builder.AbstractUpgradePolicyDataBuilder.buildNetAccessRuleConditionData(AbstractUpgradePolicyDataBuilder.java:78)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradePolicyDataBuilderRadius.buildNetAccessRuleConditionData(UpgradePolicyDataBuilderRadius.java:200)
	at com.cisco.cpm.policy.configuration.upgrade.builder.AbstractUpgradePolicyDataBuilder.buildPSLevelConditionsData(AbstractUpgradePolicyDataBuilder.java:64)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradePolicyDataBuilderRadius.buildUpgradeData(UpgradePolicyDataBuilderRadius.java:76)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySetRadius(PolicyUpgrade.java:394)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySet(PolicyUpgrade.java:337)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySets(PolicyUpgrade.java:213)
	at com.cisco.cpm.ups.upgrade.impl.PolicyUpgradeHandler.importData(PolicyUpgradeHandler.java:67)
	at com.cisco.cpm.ups.upgrade.UpgradeHandler.exportAndImport(UpgradeHandler.java:38)
	at com.cisco.cpm.ups.upgrade.UpgradeHandler.execUpgrade(UpgradeHandler.java:29)
	at com.cisco.cpm.ups.upgrade.impl.UPSUpgradeHandler.upgrade(UPSUpgradeHandler.java:154)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:132)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:185)
@@@ PsUpgrade:	debug- :Trying to rebuildConditionDataForNameValue  for: lhsAttrId:DEVICE.Device Type rhsString:Device Type#All Device Types#ASA FW
@@@ PsUpgrade:	info- :Successfully rebuildConditionDataForNameValue for: lhsAttrId:DEVICE.Device Type rhsString:All Device Types#ASA FW
@@@ PsUpgrade:	debug- :Reading Authentication rules for Policy Set ASA FW Rule
@@@ PsUpgrade:	debug- :Reading Default Authentication rule for Policy Set ASA FW Rule
@@@ PsUpgrade:	debug- :Build authentication result data for default rule  of Policy Set  ASA FW Rule
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, isArrivingFromPolicySetAPI= true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, PolicySetRestService.isPolicySetModeActivated() = true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
@@@ PsUpgrade:	debug- :Built authentication result for rule Default with following attributes: Identity Source=Internal Users, If Auth fail=REJECT, If Process fail=DROP, If User not found=REJECT
@@@ PsUpgrade:	debug- :Found 1 non default Authentication rules for Policy Set ASA FW Rule
@@@ PsUpgrade:	debug- :Reading Authentication rule ASA VPN AuthC  of Policy Set  ASA FW Rule
@@@ PsUpgrade:	debug- :About to get condition RHS display value for Network Access with attribute Protocol
@@@ PsUpgrade:	debug- :Network Access:Protocol has allow values enumeration
@@@ PsUpgrade:	debug- : Found allow value for Network Access:Protocol0:RADIUS
@@@ PsUpgrade:	warn- :Couldn't buildConditionDataForNameValue for: lhsAttrId:DEVICE.Device Type rhsString:null:Device Type#All Device Types#ASA FW, Will try to build it from rhs value
com.cisco.cpm.policy.pal.PalException: Value for attribute is not a permitted option
	at com.cisco.cpm.policy.pal.policyCondition.ConditionsData.validateAllowedValues(ConditionsData.java:545)
	at com.cisco.cpm.policy.pal.policyCondition.ConditionsData.initSimple(ConditionsData.java:438)
	at com.cisco.cpm.policy.pal.policyCondition.ConditionsData.<init>(ConditionsData.java:299)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgradeUtil.buildConditionDataForNameValue(PolicyUpgradeUtil.java:947)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradeNetAccessRuleBuilder.buildConditionDataClauseSimple(UpgradeNetAccessRuleBuilder.java:152)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradeNetAccessRuleBuilder.buildConditionDataClauses(UpgradeNetAccessRuleBuilder.java:99)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradeNetAccessRuleBuilder.buildRuleConditionData(UpgradeNetAccessRuleBuilder.java:70)
	at com.cisco.cpm.policy.configuration.upgrade.builder.AbstractUpgradePolicyDataBuilder.buildNetAccessRuleConditionData(AbstractUpgradePolicyDataBuilder.java:78)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradePolicyDataBuilderRadius.buildNetAccessRuleConditionData(UpgradePolicyDataBuilderRadius.java:200)
	at com.cisco.cpm.policy.configuration.upgrade.builder.AbstractUpgradePolicyDataBuilder.buildAuthenticationRules(AbstractUpgradePolicyDataBuilder.java:128)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradePolicyDataBuilderRadius.buildUpgradeData(UpgradePolicyDataBuilderRadius.java:96)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySetRadius(PolicyUpgrade.java:394)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySet(PolicyUpgrade.java:337)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySets(PolicyUpgrade.java:213)
	at com.cisco.cpm.ups.upgrade.impl.PolicyUpgradeHandler.importData(PolicyUpgradeHandler.java:67)
	at com.cisco.cpm.ups.upgrade.UpgradeHandler.exportAndImport(UpgradeHandler.java:38)
	at com.cisco.cpm.ups.upgrade.UpgradeHandler.execUpgrade(UpgradeHandler.java:29)
	at com.cisco.cpm.ups.upgrade.impl.UPSUpgradeHandler.upgrade(UPSUpgradeHandler.java:154)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:132)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:185)
@@@ PsUpgrade:	debug- :Trying to rebuildConditionDataForNameValue  for: lhsAttrId:DEVICE.Device Type rhsString:Device Type#All Device Types#ASA FW
@@@ PsUpgrade:	info- :Successfully rebuildConditionDataForNameValue for: lhsAttrId:DEVICE.Device Type rhsString:All Device Types#ASA FW
@@@ PsUpgrade:	debug- :Build authentication result data for rule ASA VPN AuthC in Policy Set ASA FW Rule
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, isArrivingFromPolicySetAPI= true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, PolicySetRestService.isPolicySetModeActivated() = true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
@@@ PsUpgrade:	debug- :Build authentication rule result data for outer rule ASA VPN AuthC
@@@ PsUpgrade:	debug- :Reading authentication inner rules for PS: ASA FW Rule
@@@ PsUpgrade:	debug- :Build authentication rule result data for outer default rule
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, isArrivingFromPolicySetAPI= true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, PolicySetRestService.isPolicySetModeActivated() = true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
Retrived the data from Handlercom.cisco.cpm.ups.upgrade.impl.PolicyUpgradeHandler]
com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: java.lang.NullPointerException
	at com.cisco.cpm.ups.upgrade.UpgradeHandler.exportAndImport(UpgradeHandler.java:41)
	at com.cisco.cpm.ups.upgrade.UpgradeHandler.execUpgrade(UpgradeHandler.java:29)
	at com.cisco.cpm.ups.upgrade.impl.UPSUpgradeHandler.upgrade(UPSUpgradeHandler.java:154)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:132)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:185)
Caused by: java.lang.NullPointerException
	at com.cisco.cpm.policy.configuration.upgrade.builder.AbstractUpgradePolicyDataBuilder.buildAuthenticationRuleResultDataForOuterDefaultRule(AbstractUpgradePolicyDataBuilder.java:284)
	at com.cisco.cpm.policy.configuration.upgrade.builder.AbstractUpgradePolicyDataBuilder.buildAuthenticationInnerRules(AbstractUpgradePolicyDataBuilder.java:182)
	at com.cisco.cpm.policy.configuration.upgrade.builder.UpgradePolicyDataBuilderRadius.buildUpgradeData(UpgradePolicyDataBuilderRadius.java:99)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySetRadius(PolicyUpgrade.java:394)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySet(PolicyUpgrade.java:337)
	at com.cisco.cpm.policy.configuration.upgrade.PolicyUpgrade.upgradeLegacySets(PolicyUpgrade.java:213)
	at com.cisco.cpm.ups.upgrade.impl.PolicyUpgradeHandler.importData(PolicyUpgradeHandler.java:67)
	at com.cisco.cpm.ups.upgrade.UpgradeHandler.exportAndImport(UpgradeHandler.java:38)
	... 4 more
 Error while applying changes in version: 2.3.0.100 class: com.cisco.cpm.ups.upgrade.impl.UPSUpgradeHandler
com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: Failed to upgrade to version 2.3.0.100: java.lang.NullPointerException
	at com.cisco.cpm.ups.upgrade.impl.UPSUpgradeHandler.upgrade(UPSUpgradeHandler.java:162)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:132)
	at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:185)
ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Filip Po

‎07-19-2019 07:41 AM

Please work through the TAC as they should help you and make sure everything is good before you proceed. They can also use their knowledge and open bugs if necessary. Make sure you are running the latest patch as well before running the tool

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-19-2019 05:53 AM

Looks like there is a white space before “Device Type#All Device Types#ASA FW”. Please rebuild that condition and it should go through. If you have similar rules, recommend you to do the same for them as well.
0 Helpful

Go to solution
Filip Po
Level 1
Level 1
In response to Surendra

‎07-19-2019 07:08 AM

Unfortunately, I created a really new Rule (ASA FW Rule NEW) from scratch with the same values as the old one. But the result is the same.
All Device Types is system Network Device Group and it can't be changed.

 

@@@ PsUpgrade:	debug- :Trying to rebuildConditionDataForNameValue  for: lhsAttrId:DEVICE.Device Type rhsString:Device Type#All Device Types#ASA FW
@@@ PsUpgrade:	info- :Successfully rebuildConditionDataForNameValue for: lhsAttrId:DEVICE.Device Type rhsString:All Device Types#ASA FW
@@@ PsUpgrade:	debug- :Reading Authentication rules for Policy Set ASA FW Rule NEW
@@@ PsUpgrade:	debug- :Reading Default Authentication rule for Policy Set ASA FW Rule NEW
@@@ PsUpgrade:	debug- :Build authentication result data for default rule  of Policy Set  ASA FW Rule NEW
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, isArrivingFromPolicySetAPI= true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
-->validatePolicyMode, PolicySetRestService.isPolicySetModeActivated() = true
isPolicySetModeActivated --> pss.getPolicySetMode() = POLICY_SET
@@@ PsUpgrade:	debug- :Built authentication result for rule Default with following attributes: Identity Source=All_User_ID_Stores, If Auth fail=REJECT, If Process fail=DROP, If User not found=REJECT
@@@ PsUpgrade:	debug- :Found 1 non default Authentication rules for Policy Set ASA FW Rule NEW
@@@ PsUpgrade:	debug- :Reading Authentication rule ASA VPN AuthC  of Policy Set  ASA FW Rule NEW
@@@ PsUpgrade:	warn- :Couldn't buildConditionDataForNameValue for: lhsAttrId:DEVICE.Device Type rhsString:null:Device Type#All Device Types#ASA FW, Will try to build it from rhs value
com.cisco.cpm.policy.pal.PalException: Value for attribute is not a permitted option
	at com.cisco.cpm.policy.pal.policyCondition.ConditionsData.validateAllowedValues(ConditionsData.java:545)
	at
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Filip Po

‎07-19-2019 07:41 AM

Please work through the TAC as they should help you and make sure everything is good before you proceed. They can also use their knowledge and open bugs if necessary. Make sure you are running the latest patch as well before running the tool
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents