cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
967
Views
0
Helpful
11
Replies

ISE issuse after 1.4 update

Andre Neethling
Level 4
Level 4

Hi. I am stumped here and have been troubleshooting for 2 days now. We recently updated to ISE 1.4.0.253. Since the update, neither ISE is responding to radius requests. When both nodes are registered, only 1 of them is returning data on the dashboard. Sometimes the Primary admin node, sometimes the secondary. But it's not always the same one (See attached). I have tried deregistration of the nodes and re-registration. Nothing changes. Nobody can authenticate. I have also added the appliances to the AD domain. I have tried to reset the M&T database with no change.

Any help will be appreciated.

11 Replies 11

jan.nielsen
Level 7
Level 7

What version did you upgrade from ? Are you on physical appliances, if yes, which ones ?

Hi jan. Thanks for your response. We updated from 1.3.0.876. They are physical appliances, 3415.

I noticed that when I change the primary monitor persona, the system dash changes. See attached update.

So, did you look though the upgrade guide, and check the stuff about nic's on 3415 ? It could be ISE is confused about what interface it is running on.

 

Sequence Network Interface Cards (NICs) for UCS and IBM Appliances

The order in which Network Interface Cards (NICs) are connected to Cisco UCS SNS 3415 and Cisco UCS SNS 3495, and IBM Cisco ISE 3315 appliances may affect the upgrade to ISE 1.4. You should ensure that a pre-upgrade check is performed, followed by sequencing of the NICs. Perform a pre-upgrade check of NICs for UCS and IBM Appliances to ensure that Ports eth0 and eth1 should be used for Intel NICs on UCS appliances and, ports eth2 and eth3 should be used for Broadcom NICs on IBM appliances. Refer to the Sequence Network Interface Cards (NICs) for UCS and IBM Appliances section in the Cisco Identity Services Engine Upgrade Guide, Release 1.4.

 

> I realise this should only be for ise 1.2 or 1.2.1 upgrade straight to 1.4

I did see that, and I thought it would not be applicable because we were upgrading from 1.3.x. How do I know which appliance we have? UCS or IBM? See the output from show inventory below.

 

ise02/admin# sh inventory

NAME: "SNS-3415-K9 chassis", DESCR: "SNS-3415-K9 chassis"
PID: SNS-3415-K9       , VID: A   , SN: FCH1809V1TV
Total RAM Memory: 16307676 kB
CPU Core Count: 4
CPU 0: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz
CPU 1: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz
CPU 2: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz
CPU 3: Model Info: Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz
Hard Disk Count(*): 1
Disk 0: Device Name: /dev/sda
Disk 0: Capacity: 599.00 GB
Disk 0: Geometry: 255 heads 63 sectors/track 72824 cylinders
NIC Count: 4
NIC 0: Device Name: eth0
NIC 0: HW Address: 74:26:AC:5B:35:F4
NIC 0: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 1: Device Name: eth1
NIC 1: HW Address: 74:26:AC:5B:35:F5
NIC 1: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 2: Device Name: eth2
NIC 2: HW Address: 00:0A:F7:29:99:98
NIC 2: Driver Descr: Broadcom NetXtreme II BCM5706/5708/5709/5716 Driver
NIC 3: Device Name: eth3
NIC 3: HW Address: 00:0A:F7:29:99:9A
NIC 3: Driver Descr: Broadcom NetXtreme II BCM5706/5708/5709/5716 Driver

(*) Hard Disk Count may be Logical.

 

EDIT: I see now 34xx are UCS. :-)

Thanks for your assistance Jan. But I have rolled back to 1.3.0876 and with the same configuration, all works well. Thanks again

 

Regards

Andre

Hi Andre,

I'm having a problem with radius on a new 1.4 installation. Did you find a solution to your problem?

 

Thanks

 

Stuart

Hi Stuart.  My ISE also stopped responding to RADIUS after the upgrade to 1.4. I did not find a solution.  I rolled back to 1.3.0.876. All is working well now.

Regards

Andre

Hi,

 

I guessing I was affected by the bug below even though I was doing an upgrade from a new 1.3 to 1.4. Doing a clean build from the 1.4 iso has fixed the issue.

ISE 1.3p2 upgrade to 1.4 breaks iptables rules - all radius dropped CSCuu43966

Thanks Stuart. Much appreciated

Also, do you have your ISE nodes seperated by firewalls/access lists ?

NO Firewalls or ACL's

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: