04-01-2018 09:04 AM
Hey, folks.
I have problems upgrading ISE from v2.2 (latest patch 7) to any of the new versions like 2.3 or even 2.4 ....
Until now I have tried the following things:
1. Ran urt bundles (both 2.3 and 2.4) on the secondary admin node to test
-> app install ise-urtbundle-2.4.0.357-1.0.0.SPA.x86_64.tar.gz REPO_localdisk
Both urt bundles fail at the same point:
# app install ise-urtbundle-2.4.0.357-1.0.0.SPA.x86_64.tar.gz REPO_localdisk
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Getting bundle to local machine...
Unbundling Application Package...
Verifying Application Signature...
Initiating Application Install...
###########################################
# Installing Upgrade Readiness Tool (URT) #
###########################################
Checking ISE version compatibility
- Successful
Checking ISE persona
- Successful
Along with Administration, other services (MNT) are enabled on this node. Installing and running URT might consume additional resources.
Do you want to proceed with installing and running URT now (y/n):y
Checking if URT is recent(<45 days old)
- Successful
Installing URT bundle
- Successful
########################################
# Running Upgrade Readiness Tool (URT) #
########################################
This tool will perform following tasks:
1. Pre-requisite checks
2. Clone config database
3. Copy upgrade files
4. Data upgrade on cloned database
5. Time estimate for upgrade
Pre-requisite checks
====================
Disk Space sanity check
- Successful
NTP sanity
- Successful
Appliance/VM compatibility
- Successful
Trust Cert Validation
- Successful
System Cert Validation
- Successful
Invalid MDMServerNames in Authorization Policies check
- Successful
6 out of 6 pre-requisite checks passed
Clone config database
=====================
[########################################] 100% Successful
Copy upgrade files
==================
- N/A
Data upgrade on cloned database
===============================
Modifying upgrade scripts to run on cloned database
- Successful
Running schema upgrade on cloned database
- Running db sanity to check and fix if any index corruption
- Auto Upgrading Schema for UPS Model
- Upgrading Schema completed for UPS Model
- Successful
Running sanity after schema upgrade on cloned database
- Successful
Running data upgrade on cloned database
- Data upgrade step 1/43, UPSUpgradeHandler(2.3.0.100)... Failed.
- Failed
Final cleanup before exiting...
2. I have installed each of the versions from scratch in the lab and tried to restore a backup I took from the 2.2 production deployment
-> Restore fails in both versions at the same point:
Initiating restore. Please wait...
% restore in progress: Starting Restore...10% completed
% restore in progress: Retrieving backup file from Repository...20% completed
% restore in progress: Decrypting backup data...25% completed
% restore in progress: Extracting backup data...30% completed
Leaving the currently connected AD domain
Please rejoin the AD domain from the administrative GUI
% restore in progress: Stopping ISE processes required for restore...35% completed
Cleaning up TC-NAC docker configuration...
% restore in progress: Restoring ISE configuration database...40% completed
% restore in progress: Adjusting host data for upgrade...60% completed
UPGRADE STEP 1: Running ISE configuration database schema upgrade...
- Running db sanity to check and fix if any index corruption
- Auto Upgrading Schema for UPS Model
- Upgrading Schema completed for UPS Model
UPGRADE STEP 2: Running ISE configuration data upgrade...
- Data upgrade step 1/43, UPSUpgradeHandler(2.3.0.100)... Failed.
% Error: ISE Global data upgrade failed!
I have searched and read all of the other entries in the communities and the supportforums, but I do not understand exactly, what the guys mean by it, example:
Re: What are you supposed to do when URT fails?
Also found a bug related to my problem:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg13303/?rfs=iqvred
but since I try to upgrade to 2.4 also, does not make any sense to me ...
I have not yet opened a TAC for this ......
Any ideas what else I could try ???
Rgs
Frank
Answer to hslai:
Seems that I cannot submit any answers .... site throws some red errors ... strange !!!
maybe here then ..:
Hi,
I just installed GnuPG and took a look at the log files, found this in the fist file I looked at (dbupgrade-data-global-xxxx):
@@@ PsUpgrade: info- :cleanDB done.
@@@ PsUpgrade: info- :Checking whether to init PAL...
@@@ PsUpgrade: info- :Upgrade Config says - initPal flag:.true
@@@ PsUpgrade: info- :Starting PalCore...
@@@ PsUpgrade: error- :Failed to init PAL
com.cisco.cpm.policy.pal.PalException: Failed to create Tacacs elements
Any idea, what this might mean ???
FYI, TACACS is not running on the deployment .....
Rgs
Frank
04-01-2018 09:26 AM
If you provided an encryption passphrase yourself while generating the log bundle, then you should be able to decrypt the bundle yourself if you have GnuPG installed on your PC/Mac. Otherwise, you would need TAC to help checking on the log files.
CSCvg13303 is specific to "Data upgrade step 1/18, UPSUpgradeHandler(2.3.0.100)" whereas your error is "Data upgrade step 1/43" so it does not seem the same issue.
04-01-2018 09:37 AM
Hi,
I just installed GnuPG and took a look at the log files, found this in the fist file I looked at (dbupgrade-data-global-xxxx):
@@@ PsUpgrade: info- :cleanDB done.
@@@ PsUpgrade: info- :Checking whether to init PAL...
@@@ PsUpgrade: info- :Upgrade Config says - initPal flag:.true
@@@ PsUpgrade: info- :Starting PalCore...
@@@ PsUpgrade: error- :Failed to init PAL
com.cisco.cpm.policy.pal.PalException: Failed to create Tacacs elements
Any idea, what this might mean ???
FYI, TACACS is not running on the deployment .....
Rgs
Frank
04-01-2018 09:57 AM
Go to ISE admin web UI > Work Centers > Device Administration > Policy Elements > Results.
Under TACACS Command Sets, anything other than DenyAllCommands there? If yes, you may consider deleting them.
Under TACACS Profiles, anything other than "Default Shell Profile", "Deny All Shell Profile", "WLC ALL", "WLC MONITOR"? Delete anything extra.
If that does not help, please open a TAC case and provide a copy of your ISE CFG backup to TAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide