cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1277
Views
5
Helpful
5
Replies

ISE upgrade 1.1.4 to 1.2 Fail

jrodriguez
Level 1
Level 1

Hi there

I´m upgrading a distributed enviroment with 2 Administration/monitoring nodes and 2 as a Policy. I´m upgrading from 1.1.4 patch 6 to 1.2.0.899

I´ve upgraded first the secondary administration node and then the both Policy servers. Now they are already in 1.2 version, but when I´m going to upgrade the primary server (still in v1.1.4) seems as if there where still any server without upgrade.

es-ise000/admin# application upgrade ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz disk

Save the current ADE-OS running configuration? (yes/no) [yes] ? yes

Generating configuration...

Saved the ADE-OS running configuration to startup successfully

Initiating Application Upgrade...

% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.

STEP 1: Stopping ISE application...

% Warning: All secondary nodes should be upgraded and inline posture nodes should be de-registered before upgrading Primay PAP.

Starting application after rollback...

% Warning: The node has been reverted back to its pre-upgrade state.

error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1

% Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.

The servers are running in VMWare

This are the servers already upgraded to 1.2

ise 1.2.jpg

This is from the primary administration server, still running 1.1.4

ise 1.1.4.jpg

Any Ideas

Thanks in advance

5 Replies 5

Muhammad Munir
Level 5
Level 5

Hi

you must reimage and restore the configuration and operational backup depending on the personas enabled on the node originally. If you have to reimage the node , before you reimage it, ensure that you generate a support bundle by running the backup-logs CLI command and place the support bundle in a remote repository in order to help ascertain the cause of failure.

Moreover, please make sure that you perform the upgrade as described in the following link:

http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_0100.html

Thank you for your answer Muhammad.

I have already 3 servers already upgraded to 1.2. Could I reimage the the server that is left directly to 1.2 and register it as a secondary persona?

If this is not possible Could I reimage to 1.2 and restore the backup done with 1.1.4?

Thanks

Hi ,

The final step in the upgrade of ISE 1.2 is to upgrade the primary Administration node to Cisco ISE, Release 1.2.

If the upgrade is success on this node then this node will be added to the new deployment as  a secondary Administration node. You can promote the secondary  Administration  node to be the primary node in the new  deployment. If you want to retain the secondary Administrative node from old deployment as your primary node, you must  obtain a license that includes the UDI of both the primary and secondary  Administration nodes.

In case if you want to make your primary Admin node from old deployment as a Primary node in the new ISE 1.2 deployment then just promote the node.

As you are facing difficulty in upgrading Primary Admin node from ISE 1.1.4 version to ISE 1.2 version you try the following steps.

-The safest way is to re-image the ISE Primary node es-ise000 to ISE 1.2 version and join to the deployment. Once the node is joined successfully and replication is done , you can safely promote the original primary node es-ise000 as your Primary ISE node in new ISE 1.2 deployment.

-The other way is to perform reset-config operation on the older Primary node and once it is done perform the upgrade operation and then register it back to the deployment of ISE 1.2 and then promote as Primary node once replication is completed.

Thanks,

Naresh

blenka
Level 3
Level 3

Firewall Ports That Must be Open for Communication

The replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall between your primary Administration node and any other node, the following ports must be open before you upgrade to Release 1.2:

  • TCP 2484—For      communication between the primary administration node and monitoring      nodes.
  • TCP 443—For      communication between the primary administration node and all other      secondary nodes.
  • TCP 12001—For global      cluster replication.

Kindly follow the link below to verify the configuration.

http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html

Hi Basant,

The port that needs to be allowed for secure communication between Primary administration node and monitor node is TCP1528.

TCP 2484 is not being used and is wrongly mentioned in the document.

We are correcting this error.

Thanks,

Naresh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: