Solved: Cisco ISE 2.4.0.357 Upgrade ISSUE

gpinero · ‎06-03-2018

Hi all, in upgrade process from 2.3 to 2.4 I have this error in Context Visibility:

Unable to load Context Visibility page. Ensure that full certificate chain of admin certificate is installed on Administration->System->Certificates->Trust
ed Certificates. If not, install them and restart application services. Exception: None of the configured nodes are available: [{#transport#-1}{tFtNsZVgRSWNBQkBtiOBOQ}{ise.domain.com}{10.12.12.12:9300
}]

I have deleted all certificates and I have reloaded them with their entire chain but the error still appears.

It seens a bug in older versions but not in 2.4

https://supportforums.cisco.com/t5/cisco-bug-discussions/cscvd38251-unable-to-load-context-visibility-page/td-p/3067112

Any one can help me?

CCNP R&S, CCNP Security, CCNA CyberOps

gpinero · ‎06-27-2018

All certificate chain was uploaded to all ISE nodes. Finally I opened a TAC case and the solution was to go back to version ISE 2.3.

CCNP R&S, CCNP Security, CCNA CyberOps

View solution in original post

Arne Bier · ‎06-04-2018

I have not upgraded to ISE 2.4 yet (still on 2.3). I would like to know how you built your deployment. When you registered additional nodes to your PRIMARY PAN, did those additional nodes have their Admin role certificates generated from the same CA as the Primary PAN?

e.g. I have a case where all of my nodes have an individually created cert from our enterprise PKI (Root->Intermediate->Issuing CA - 3 levels deep). After installing the .iso from fresh I always install all 3 CA certs in the Trusted Certs store. Then I install the Admin role cert on each server. I then designate one server as the Primary PAN and register all the others to it. This has always worked in ISE 2.2 and ISE 2.3 so far and it's one way of registering a deployment. But if you're saying that this breaks when upgrading to ISE 2.4 then I am concerned.

gpinero · ‎06-27-2018

All certificate chain was uploaded to all ISE nodes. Finally I opened a TAC case and the solution was to go back to version ISE 2.3.

CCNP R&S, CCNP Security, CCNA CyberOps

noc2 · ‎09-03-2018

Got the same issue, and after applying patch 2 ... still the same... I'm glad it test environment.

Arne Bier · ‎09-03-2018

Sorry to hear you had to go back to 2.3

The official upgrade process may have messed things up. I would not give up though. Are you able to build a fresh 2.4 node from the OVA/ISO and then restore the 2.3 config backup onto it? That's how I would approach an "upgrade".

If the 2.3 database is so corrupted then it might be best to build a new 2.4 deployment and reconfigure what you need. ISE 2.4 promised us the import Policy Set feature (we can already export Policy Sets as XML) - now if that were possible then you'd have a nice clean way to get the bulk of the logic migrated.

You can already import Network Device Groups and Radius Dictionaries and of course Network Access Devices (NAD's) - that can be a big chunk of config imported into the new deployment, instead of potentially importing a load of garbage into your new nodes.