Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1623
Views
5
Helpful
3
Replies

ISE 2.3.0.298 Patch6 - startup-configuration is empty

Go to solution
terry.tan
Level 1
Level 1

‎12-29-2019 07:30 PM

Hello,

 

Just need your advice on the issue we have on our ISE, it's the third time our startup-configuration is empty. The first time happened was back in late July 2019, then again late October 2019 and recently 28th Dec 2019, the first two times Cisco Engineer fixed the configuration, had to copy the RootKey-appbundle-1.0-x86_64.tar.gz and RootPatch-appbundle-1.4.SSA_NOT_FOR_RELEASE.x86_64.tar.gz to the repository box and install the app.

I tried to install the box appbundle but was unsuccessful as it says the bundle has expired.

=====================================================================

betty/netadmin# app install RootKey-appbundle-1.0-x86_64.tar.gz hornet

Save the current ADE-OS running configuration? (yes/no) [yes] ? yes

Generating configuration...

 

Getting bundle to local machine...

Unbundling Application Package...

Verifying Application Signature...

Initiating Application Install...

% Error: Aborting installation since bundle has expired!

error: %pre(RootKey-1.0-1.x86_64) scriptlet failed, exit status 1

error: RootKey-1.0-1.x86_64: install failed

% Application install/upgrade failed with system removing the corrupted install

 

betty/netadmin# app install RootPatch-appbundle-1.4.SSA_NOT_FOR_RELEASE.x86_64.tar.gz hornet

Save the current ADE-OS running configuration? (yes/no) [yes] ? yes

Generating configuration...

 

Getting bundle to local machine...

Unbundling Application Package...

Verifying Application Signature...

% Bundle signature could not be verified

=====================================================================

I'm waiting for Cisco Engineer to rectify our current config failure.

We did reload the whole box on the 20th Dec 2019, our weekly backup is on Saturday and was backing up ok on the 21st Dec 2019.

Any advise on why it's happening so many times?

 

Thanks in Advanced.

Terry

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-29-2019 09:58 PM

On the root key expiring, that's intentional and how it was designed. This prevents indefinite root access to the appliances, and requires TAC to be engaged.

Software maintenance ended for ISE 2.3 on Dec 19th of this year as part of the end of life wind down. So while you can still get TAC to help fix issues like this, no new software fixes/patches will be released. I would ask TAC is this is a known issue with a bug already logged, if yes, maybe they can confirm there was a fix in 2.4/2.6. The one other possible self service option you have is to move to 2.3 patch 7, at least you rule out most known 2.3 bugs.
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-741734.html

While not a direct resolution to your issue, moving to ISE 2.4 or 2.6 should be top of mind. I am not aware and haven't seen any public facing bugs in 2.4+ that would align with this issue.

View solution in original post

3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-29-2019 09:58 PM

On the root key expiring, that's intentional and how it was designed. This prevents indefinite root access to the appliances, and requires TAC to be engaged.

Software maintenance ended for ISE 2.3 on Dec 19th of this year as part of the end of life wind down. So while you can still get TAC to help fix issues like this, no new software fixes/patches will be released. I would ask TAC is this is a known issue with a bug already logged, if yes, maybe they can confirm there was a fix in 2.4/2.6. The one other possible self service option you have is to move to 2.3 patch 7, at least you rule out most known 2.3 bugs.
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-741734.html

While not a direct resolution to your issue, moving to ISE 2.4 or 2.6 should be top of mind. I am not aware and haven't seen any public facing bugs in 2.4+ that would align with this issue.

Go to solution
terry.tan
Level 1
Level 1
In response to Damien Miller

‎12-29-2019 10:05 PM

Hi,

 

Thanks. Would like to know why the start-up config keeps dissappearing.

Unfortunately our hardware does not support 2.4. So we are stuck with 2.3, I will probably upgrade to patch 7 once Cisco Engineer fix up the start-up config issue.

We'll have to upgrade our hardware early next year to support 2.4 onwards, will bring it up with management.

 

cheers.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to terry.tan

‎01-01-2020 08:02 PM

@terry.tan wrote:

Hi,

 

Thanks. Would like to know why the start-up config keeps dissappearing.

Unfortunately our hardware does not support 2.4. So we are stuck with 2.3, I will probably upgrade to patch 7 once Cisco Engineer fix up the start-up config issue.

We'll have to upgrade our hardware early next year to support 2.4 onwards, will bring it up with management.

 

cheers.

You will need to ask TAC about why. Also you could temporarily use VMs if waiting for hardware. 

 

2.6 is current recommended release but 2.4 will work as well

0 Helpful
Customers Also Viewed These Support Documents