07-30-2013 02:00 AM - edited 03-10-2019 08:42 PM
Hi, folks.
Anyone here who used "ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz" to upgrade his/hers ISE distributed deployment successfully ???
I have tried it, using the procedure described in the Cisco ISE Upgrade Guide 1.2, it already fails at Step 1: Upgrading the secondary Administration Node first:
- Data upgrade step 26/80, GuestUpgradeService(1.2.0.319)... Done in 0 seconds.
- Data upgrade step 27/80, ProfilerUpgradeService(1.2.0.319)... Done in 6 seconds.
- Data upgrade step 28/80, NetworkAccessUpgrade(1.2.0.326)... Done in 0 seconds.
- Data upgrade step 29/80, GuestUpgradeService(1.2.0.341)... Done in 4 seconds.
- Data upgrade step 30/80, NSFUpgradeService(1.2.0.344)... Done in 0 seconds.
- Data upgrade step 31/80, RBACUpgradeService(1.2.0.344)... .Done in 96 seconds.
- Data upgrade step 32/80, NSFUpgradeService(1.2.0.349)... Done in 0 seconds.
- Data upgrade step 33/80, AuthzUpgradeService(1.2.0.351)... Done in 0 seconds.
- Data upgrade step 34/80, RegisterPostureTypes(1.2.0.363)... ..........................Failed.
Rolling back the configuration database...
Starting application after rollback...
% Warning: Do the following steps to revert node to its pre-upgrade state.
-Register this node back to old Primary
error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
% Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
The running version is 1.1.4 with latest patch:
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.4.120
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-worf
Version information of installed applications
---------------------------------------------
Cisco Identity Services Engine
---------------------------------------------
Version : 1.1.4.218
Build Date : Wed Apr 10 22:20:22 2013
Install Date : Fri May 3 19:16:05 2013
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Wed May 29 08:16:58 2013
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 2
Install Date : Mon Jun 10 05:29:21 2013
Cisco Identity Services Engine Patch
---------------------------------------------
Version : 3
Install Date : Wed Jul 17 08:45:02 2013
The script tells me to check the logs ... but for what ??? Local log file (sh logg) is packed with errors (java, eap, cert ...) .......
Contacting TAC for support is no option, because this is a test deployment only .....
The same thing also happens, when I switch both Admin nodes (switch the primary to secondary) and try to upgrade the "new" secondary ..
Any ideas ???
07-30-2013 02:16 AM
Frank,
You need to have root patch of some sort (TAC patch, root patch, rpssh) to access the logs
From my lab device:
[root@mlatosieISENBC logs]# pwd
/opt/CSCOcpm/logs
[root@mlatosieISENBC logs]# ls -la *20130729*
-rw-r--r-- 1 root gadmin 242780 Jul 29 13:12 isedbupgrade-data-global-20130729-125207.log
-rw-rw-rw- 1 oracle gadmin 5249 Jul 29 12:52 isedbupgrade-schema-20130729-124515.log
Those are the logs from my upgrade done yesterday.
M.
07-30-2013 02:56 AM
Out of interest, how did you even obtain this file?
We've purchased an ISE NFR license from the Partner Evaluation Software site
cisco.com/go/nmsevals and it's shipped with 1.1.1, on a USB stick (software and NFR license).
We can't download the file
ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz due to "additional entitlement" - so we are stuck with an outdated NFR version.
07-30-2013 05:52 AM
I think this is the reason; you are not able to upgrade it successfully. You need the below file for upgrading.
ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz
07-30-2013 05:55 AM
That is exactly the file I used ......
07-31-2013 01:10 AM
Little update:
The upgrade also fails (with same error) when trying to upgrade a freshly installed ise v1.1.4 Patch 1-3, (Secondary Admin Node only) which is also part of a distributed deployment ....
07-31-2013 03:10 AM
Hi TS,
Did you upgrade your NFR the first time and later on the test on 1.1.4 patch 3 evaluation license?
07-31-2013 08:28 PM
Hi,
There is a bug realted to blank posture policies documented at the end of this thread.
https://supportforums.cisco.com/thread/2231046?tstart=0
Just for your reference, I was able to upgrade my instance by reimaging to 1.2 and restoring my 1.1.x backup.
Tarik Admani
*Please rate helpful posts*
11-19-2013 08:43 AM
I have the same problem and the tac team recommended to do a fresh 1.2 install and restore the application backup from 1.1.4.
11-19-2013 09:44 AM
Frank,
There is a known defect CSCui58123 for this issue and here is the workaround to fix this issue and upgrade to go smooth.
In the below patch please check your requirement policy's conditions and set the valid condition for the policy which has "Select Conditions" option as shown below.
Policy > Policy Elements > Results > Posture > Requirements The requirement policy has a condition that is not set. Shows "Select Conditions"
Even if you do a fresh install and restore the ISE 1.1.4 backup to ISE 1.2 you are prone to hit this issue. As this is related to data , the upgrade model of the data is one and the same when you restore the ISE 1.1.4 data backup to ISE 1.2 and when you trigger the upgrade on ISE 1.1.4.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide