Solved: What are you supposed to do when URT fails?

paul · ‎09-28-2017

I am doing an upgrade from 2.1 to 2.3 doing my normal build fresh then restore. The restore is failing on:

Data upgrade step 43/60, UPSUpgradeHandler(2.3.0.100)... Failed.

I then removed one of my admin nodes from the 2.1 deployment, made it a standalone node and ran URT test. It failed at the same spot with no further information:

Data upgrade step 43/60, UPSUpgradeHandler(2.3.0.100)... Failed.

Does that mean we just have to open a TAC case?

Thanks.

paul · ‎09-28-2017

Thanks Hsing and Jason. Let me confirm my thinking with you.

I have done probably 40-50 fresh builds/restores since 1.0 with no issues up to and including 2.2. 2.3 is the only version I have issues with and 2.3 is the only version introduces with a URT. So all the issues have to be with the policy set conversion right?

I think I know what the issue may be. Because the Context Visibility->Endpoints screen doesn’t show the Authorization Profile we got in the habit of covering the default rule at the bottom of our policy sets with a rule with a better name than “Default”. Covering the default rule with no conditions is not allowed in 2.3. So my guess is it is probably bombing out on that conversion. That was mentioned in the other discussion as well.

Is my thinking correct? The issue really has to be in the policy sets.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

Jason Kunst · ‎09-28-2017

Yes you have to have them engage development and fix the issue

hslai · ‎09-28-2017

This depends on the errors. For example, Upgrade to ise 2.3 failed ran into some issues with policy set upgrade and we changed the policy rules based on the errors.

paul · ‎09-28-2017

Thanks Hsing and Jason. Let me confirm my thinking with you.

I have done probably 40-50 fresh builds/restores since 1.0 with no issues up to and including 2.2. 2.3 is the only version I have issues with and 2.3 is the only version introduces with a URT. So all the issues have to be with the policy set conversion right?

I think I know what the issue may be. Because the Context Visibility->Endpoints screen doesn’t show the Authorization Profile we got in the habit of covering the default rule at the bottom of our policy sets with a rule with a better name than “Default”. Covering the default rule with no conditions is not allowed in 2.3. So my guess is it is probably bombing out on that conversion. That was mentioned in the other discussion as well.

Is my thinking correct? The issue really has to be in the policy sets.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

hslai · ‎09-28-2017

Yes, you are in the right track. The 2.3 upgrade will try converting the legacy policies and policy sets into separate policy sets and that can run into problems as shown in the older thread.

paul · ‎10-05-2017

Just to follow up on this. The issue turned out to be two fold:

I had rules with no conditions that covered the default rule in some of my policy sets.

I also, like a good ISE installer, had authentication and authorization simple conditions with the name EAP-TLS created. ISE 2.3 adds that condition in by default and can't handle that you have them in the config. I had to rename them to something else to get the URT to work.

<rant> Honestly this URT is terrible. Why build a tool that gives no meaningful output that requires TAC to debug the log output. This is basic error handling you load in coding class. </rant>