10-01-2013 10:08 AM - edited 03-10-2019 08:57 PM
Hi there
I´m upgrading a distributed enviroment with 2 Administration/monitoring nodes and 2 as a Policy. I´m upgrading from 1.1.4 patch 6 to 1.2.0.899
I´ve upgraded first the secondary administration node and then the both Policy servers. Now they are already in 1.2 version, but when I´m going to upgrade the primary server (still in v1.1.4) seems as if there where still any server without upgrade.
es-ise000/admin# application upgrade ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
STEP 1: Stopping ISE application...
% Warning: All secondary nodes should be upgraded and inline posture nodes should be de-registered before upgrading Primay PAP.
Starting application after rollback...
% Warning: The node has been reverted back to its pre-upgrade state.
error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
% Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
The servers are running in VMWare
This are the servers already upgraded to 1.2
This is from the primary administration server, still running 1.1.4
Any Ideas
Thanks in advance
10-02-2013 02:17 AM
Hi
you must reimage and restore the configuration and operational backup depending on the personas enabled on the node originally. If you have to reimage the node , before you reimage it, ensure that you generate a support bundle by running the backup-logs CLI command and place the support bundle in a remote repository in order to help ascertain the cause of failure.
Moreover, please make sure that you perform the upgrade as described in the following link:
http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_0100.html
10-02-2013 03:03 AM
Thank you for your answer Muhammad.
I have already 3 servers already upgraded to 1.2. Could I reimage the the server that is left directly to 1.2 and register it as a secondary persona?
If this is not possible Could I reimage to 1.2 and restore the backup done with 1.1.4?
Thanks
10-03-2013 05:32 AM
Hi ,
The final step in the upgrade of ISE 1.2 is to upgrade the primary Administration node to Cisco ISE, Release 1.2.
If the upgrade is success on this node then this node will be added to the new deployment as a secondary Administration node. You can promote the secondary Administration node to be the primary node in the new deployment. If you want to retain the secondary Administrative node from old deployment as your primary node, you must obtain a license that includes the UDI of both the primary and secondary Administration nodes.
In case if you want to make your primary Admin node from old deployment as a Primary node in the new ISE 1.2 deployment then just promote the node.
As you are facing difficulty in upgrading Primary Admin node from ISE 1.1.4 version to ISE 1.2 version you try the following steps.
-The safest way is to re-image the ISE Primary node es-ise000 to ISE 1.2 version and join to the deployment. Once the node is joined successfully and replication is done , you can safely promote the original primary node es-ise000 as your Primary ISE node in new ISE 1.2 deployment.
-The other way is to perform reset-config operation on the older Primary node and once it is done perform the upgrade operation and then register it back to the deployment of ISE 1.2 and then promote as Primary node once replication is completed.
Thanks,
Naresh
10-03-2013 06:33 PM
The replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall between your primary Administration node and any other node, the following ports must be open before you upgrade to Release 1.2:
Kindly follow the link below to verify the configuration.
http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html
10-05-2013 12:13 AM
Hi Basant,
The port that needs to be allowed for secure communication between Primary administration node and monitor node is TCP1528.
TCP 2484 is not being used and is wrongly mentioned in the document.
We are correcting this error.
Thanks,
Naresh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: