Solved: Re: ISE 3.1 Zero Touch Provisioning (ZTP) issues

Arne Bier · ‎11-28-2022

Hello,

When ISE 3.1 was first released I tested ZTP on vSphere using the .iso ISE installer method. At that time, I was unable to mount two .iso/.img files, so I used the Advanced Attributes option (BASE64 encoded) ZTP config config option - that worked. I was able to install, configure and patch the node.

Since the ISE 3.1 ISO 'b' variant was released (ise-3.1.0.518b.SPA.x86_64), which added additional feature to ZTP (e.g. skip DNS/ping test etc.), I am having less joy with ZTP.

Has anyone found that the ZTP config in BASE64 encoding no longer works when booting the VM from the new 3.1 ISO?

I also found that the patching via FTP didn't work anymore. I have an anonymous FTP which I can browse using WinSCP (anonymous user) as well as via ISE itself when I configure the repo with the URL and user 'anonymous'. I see that NFS is also an option, but I wanted FTP to work as well. I have not tried NFS.

The node was built using ZTP, but the patching was not done. What is wrong with this? I have a horrible feeling that the parser didn't read past the new 'skip' commands, which contains the info for the patching ...

hostname=pan1
ipv4_addr=10.10.10.40
ipv4_mask=255.255.255.0
ipv4_default_gw=10.10.10.1
domain=somedomain.com
primary_nameserver=10.10.10.11
secondary_nameserver=10.10.10.12
primary_ntpserver=10.10.10.11
secondary_ntpserver=10.10.10.12
timezone=Australia/Queensland
ssh=true
username=admin
password=BlahBlah2022
SkipIcmpChecks=true
SkipDnsChecks=true
SkipNtpChecks=true
repository_name=myftp
repository_protocol=ftp
repository_server_name=10.10.10.11
repository_path=/ftpmain/Security/ISE
patch=ise-patchbundle-3.1.0.518-Patch4-22091704.SPA.x86_64.tar.gz

I tested the anonymous FTP

pan1/admin#
pan1/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
pan1/admin(config)# repo myftp
pan1/admin(config-Repository)# url ftp://10.10.10.11/ftpmain/Security/ISE
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
pan1/admin(config-Repository)# user anonymous password plain anonymous@cisco.com
pan1/admin(config-Repository)# end
pan1/admin# show repository myftp
ise-patchbundle-3.1.0.518-Patch4-22091704.SPA.x86_64.tar.gz
pan1/admin#

Greg Gibbs · ‎11-28-2022

Hi @Arne Bier. I just tested a similar build using the 'b' variant OVA and ZTP config with NFS. Both the install and patch 4 update worked, so there does not appear to be a general issue with the parsing as far as I can tell. There may be another factor in play. Below is my ZTP config that was base64 encoded.

hostname=ise31-3
ipv4_addr=192.168.222.55
ipv4_mask=255.255.255.0
ipv4_default_gw=192.168.222.35
domain=domain.com
primary_nameserver=192.168.222.24
primary_ntpserver=192.168.100.27
timezone=Australia/Melbourne
ssh=true
username=admin
password=foobar
SkipIcmpChecks=true
SkipDnsChecks=true
SkipNtpChecks=true 
repository_name=ubuntu-nfs
repository_protocol=nfs
repository_server_name=192.168.100.131
repository_path=/mnt/nfs_share
patch=ise31p4.tar.gz
ers=true
openapi=true
pxgrid=true
pxcloud=false

View solution in original post

Charlie Moreton · ‎11-30-2022

Arne,

From https://cs.co/ise-ztp:

Only TFTP, HTTP, HTTPS and NFS repositories with no username/password are supported and the repository created during this script is not persistent, meaning that it will not exist in ISE after a reboot.

When I tested ISE 3.1 with ZTP, I could never get FTP to work, whether anonymous or not, so if you did it was an anomaly.

View solution in original post

Greg Gibbs · ‎11-28-2022

Hi @Arne Bier. I just tested a similar build using the 'b' variant OVA and ZTP config with NFS. Both the install and patch 4 update worked, so there does not appear to be a general issue with the parsing as far as I can tell. There may be another factor in play. Below is my ZTP config that was base64 encoded.

hostname=ise31-3
ipv4_addr=192.168.222.55
ipv4_mask=255.255.255.0
ipv4_default_gw=192.168.222.35
domain=domain.com
primary_nameserver=192.168.222.24
primary_ntpserver=192.168.100.27
timezone=Australia/Melbourne
ssh=true
username=admin
password=foobar
SkipIcmpChecks=true
SkipDnsChecks=true
SkipNtpChecks=true 
repository_name=ubuntu-nfs
repository_protocol=nfs
repository_server_name=192.168.100.131
repository_path=/mnt/nfs_share
patch=ise31p4.tar.gz
ers=true
openapi=true
pxgrid=true
pxcloud=false

Arne Bier · ‎11-28-2022

thanks mate! I will do some more testing to determine where I am going wrong. I will update my results.

Arne Bier · ‎11-29-2022

I tried my config again in VMWare 7.0.3.00500 and I never progress from this console screen - disk activity is zero and the CPU is idling at near zero.

As recommended, I changed the Boot Options to use BIOS instead of UEFI.

If I use the same config file on an .img file, it at least installs ISE. But the patching doesn't work.

How does one troubleshoot this hung state? Because I like the idea of not having to make those .img files

Charlie Moreton · ‎11-30-2022

Arne,

From https://cs.co/ise-ztp:

Only TFTP, HTTP, HTTPS and NFS repositories with no username/password are supported and the repository created during this script is not persistent, meaning that it will not exist in ISE after a reboot.

When I tested ISE 3.1 with ZTP, I could never get FTP to work, whether anonymous or not, so if you did it was an anomaly.

Arne Bier · ‎11-30-2022

Thanks Charlie. My first attempt was a while ago (distant memory) and I may have used http. Ok. Pity.

For what it's worth, the repo config in ISE that I posted in earlier chats, does work. I am using a Windows IIS FTP server but the username/password convention is universal.