I have a CPAM 1.5.0 2 node HA cluster. I'm looking to upgrade to version 1.5.2. The only documentation I see on Cisco's site is the upgrade for a single server, which is a fairly easy process. But what I don't know if is if I follow the steps exactly for each server or is there something else that needs to get done for the HA piece?
Just as a quick test of the setup process, I upgraded one of the nodes, but when I went to execute the upgrade, I was told I couldn't because a peer service was started. To work around that, I removed the shared IP out of the configuration for the one node. That allowed me to proceed and upgrade the box. However, again, is that the proper upgrade path or is there something else I'm missing? Is it as easy as just upgrading the second node and then re-entering the shared IP address?
Here are the steps I followed from the Release Notes for Cisco Physical Access Control, Release 1.5.2
Upgrading CPAM from 1.5.0/1.5.1 to CPAM 1.5.2 Note The below given procedure should be followed before upgrading from 1.5.0 or 1.5.1 to 1.5.2. This applies to CPS-MSP-1RU-K9, CPAM 1.5.x virtual machines and CPS-UCS-1RU-K9 platforms. Step 1 Stop cpamacserver via webadmin. Step 2 Copy the preupgrade-1.5.2.zip file to the server under /home/cpamadmin. Step 3 Extract the preupgrade-1.5.2.zip file using the command unzip preupgrade-1.5.2.zip. Step 4 Change the file to the preupgrade folder using the command cd preupgrade. Step 5 Change the permission for all the 3 files namely preUpgrade.sh, immortal.sh and upgrade.sh files using the command chmod 755 <filename>. Step 6 Run the dos2unix <filename> command for both the scripts. Step 7 Stop the immortal service using the command service immortal stop. Step 8 Execute the preUpgrade.sh script alone. Note Do not run the upgrade.sh script. Step 9 Start immortal service using the command service immortal start. Step 10 Upgrade to 1.5.2 by uploading the appropriate upgrade bin file from the webadmin.
Thanks for the reply. I had to stop the server service as well as remove the shared IP to even perform the upgrade, so both steps were done on both servers. Unfortunately I did NOT stop the server service or remove the shared IP on the secondary node BEFORE I did the upgrade on the primary. But, again, I did stop server and removed shared IP from primary before upgrading it.
My databases are out of sync still after performing upgrade on both and re-inputting the shared IP and starting the server service again. I'm not sure they are even in a "cluster" at this point. When I look in the High Availability Audit log, they both claim to be active, and the personnel is populated on the primary CPAM server when using the CPAM client, and the personnel list is empty on the secondary - not sure if that is by design or my suspicions are correct that the clustering/HA got messed up during the upgrade.
Would you happen to know how I can "kickstart" the HA again or is this a TAC call?
Unfortunately at this point... it's going to be a TAC call. The good news is, you have an active primary server with a good database. So this is recoverable. First step - Get that full config backup with events (events are optional... but I always try to grab them when possible) downloaded. Depending on how many badges you have, this backup will probably be in the 500 MB range. (1000 badges, 50-100 doors). If you download the backup file, and it's only a meg or two in size, you aren't getting the full backup and it'll probably have to be done from the command line.
I forget, is this a virtual environment? If so, I'd spin down the secondary server, throw a new VM out with just the HA license applied, and then re-input the shared IP settings. Give it a few hours to sync.
This isn't the first time I've ran into this, so I do believe the TAC team will be able to help get you back up to speed in relatively little time!
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...