anyone upgrade ISE to 1.1 yet?

Unanswered Question
Mar 21st, 2012

Has anyone upgraded to 1.1 on ISE?

How did the upgrade go?  Any issues?  How long did it take?

TIA

Scott

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
SCOTT VOLL Thu, 03/22/2012 - 08:15

I guess someone has to be first..... Lets just say.... it didn't go according to plan.  TAC is working on why it didn't work.

Started the upgrade:

 

ise-vm29/admin# application upgrade ise-appbundle-1.1.0.665.i386.tar.gz 

Save the current ADE-OS running configuration? (yes/no) [yes]? 

Generating configuration...

Saved the ADE-OS running configuration to startup successfully

Initiating Application Upgrade...


Got this far and stopped.  Never continued to the following.

###############################################################

NOTICE: ISE upgrade requires you to change the database

administrator and database user password. You will be

prompted to change these passwords after the system reboots.

###############################################################

Stopping ISE application before upgrade...

Running ISE Database upgrade...

Upgrading ISE Database schema...

ISE Database schema upgrade completed.

Running ISE Global data upgrade as this node is a STANDALONE...

Running ISE data upgrade for node specific data...

This application Install or Upgrade requires reboot, rebooting now...

I will try and update as I find out more.

jjonessec1969 Thu, 03/22/2012 - 11:36

I got through the whole process then I got this message

ISE Global data upgrade failed!

stopping ISE database process

error:%post(CSCIcpm-upgrade-1.10-665.i386) scriptlet failed, exit status 1

both my systems are standalone, it would not upgrade them unless they were standalone.

SCOTT VOLL Thu, 03/22/2012 - 11:48

just as a follow up..... 11 hours later it went into the upgrade and finished just shy of 12 hours after I started the upgrade.  I AM SO GLAD it's not in full production!

SCOTT VOLL Fri, 03/23/2012 - 08:01

follow up once again.

after rebooting the ISE box... the application keeps going between

ISE Application Server is still initializing.

and

ISE Application Server process is not running.

Back on line with TAC

SCOTT VOLL Mon, 03/26/2012 - 12:41

started having issues athenicating AD users, so rebooted and then ISE would not come up at all.

over the weekend if finally came up.  But I'm still having issues with AD authentications.  We are bringing up a 1.0 and doing a restore at this point in time.

This kind of reminds me of the old Voice days when upgrades where h***

YMMV.

George Stefanick Tue, 03/27/2012 - 14:58

Counting my blessings. ISE upgrade took about 30 minutes and was pretty clean.

ISE01/itnet# application upgrade ise-appbundle-1.1.0.665.i386.tar.gz test_server

Save the current ADE-OS running configuration? (yes/no) [yes] ?

Generating configuration...

Saved the ADE-OS running configuration to startup successfully

Initiating Application Upgrade...

Stopping ISE application before upgrade...

Running ISE Database upgrade...

Upgrading ISE Database schema...

Upgrading Session Directory... Completed.

ISE Database schema upgrade completed.

Running ISE Global data upgrade as this node is a STANDALONE...

Running ISE data upgrade for node specific data...

% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully.

The mode has been set to licensed.

/var/tmp/rpm-tmp.81145: line 19: log: command not found

% This application Install or Upgrade requires reboot, rebooting now...

Broadcast message from root (pts/0) (Tue Mar 27 16:49:44 2012):

The system is going down for reboot NOW!

*****************************************************************************************************************************

ISE01/itnet# show version

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.2.103

ADE-OS System Architecture: i386

Copyright (c) 2005-2011 by Cisco Systems, Inc.

All rights reserved.

Hostname: ISE01

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version      : 1.1.0.665

Build Date   : Wed Mar  7 16:51:03 2012

Install Date : Tue Mar 27 16:48:54 2012    

ISE01/XXX#

SCOTT VOLL Tue, 03/27/2012 - 15:55

George--

I'm assuming you didn't use SFTP for your patch repository?

Are you using AD as one of your external identity stores?

Is anyone else having issues with AD authentication sometimes working and sometimes not in version 1.1?

Scott

brian.schultz@s... Wed, 03/28/2012 - 21:23

Scott,

I'm having the same issue you mentioned where the application server is going from initializing to not running.  What did you find to resolve this?  This started happening after the 1.1 upgrade when I changed the database admin and user passwords and I can't seem to get it to restore.

I also had a lot of problems with SFTP and ended up using FTP with much better success.

-Brian

d.baas Fri, 03/23/2012 - 03:33

I upgraded our test environment, a standalone VM.

The upgrade took about 1 hour and 30 minutes and the  ISE VM was up and running again, no problems during the process. Few  things I noticed:

- During the upgrade, I did not get the message

NOTICE: ISE upgrade requires you to change the database

during the upgrade.

Steps shown are:

Initiating Application Upgrade...

Stopping ISE application before upgrade...

Running ISE Database upgrade...

Upgrading ISE Database schema...

Upgrading Session Directory... Completed.

ISE Database schema upgrade completed.

Running ISE Global data upgrade as this node is a STANDALONE...

Running ISE data upgrade for node specific data...

-  The http ports are gone from the sponsor- and guestportals  (Administration > Guest Management > Settings > General >  Ports). This has some disadvantages for us. We use the http traffic type  for redirect from WLC to ISE to avoid certificate issues/warnings. I  did not see anything mentioned in de release notes about this.

- I created a sponsorportal Language Template in Dutch, named Nederlands, in the original version. This is kept after upgrade, renamed to user_Nederlands.

sfenderson Mon, 03/26/2012 - 06:38

I did the upgrade without to much trouble. I have 2 boxes with one primary and one secondary. The installation intructions are pretty awful. The one example is confusing and appears to have a mistake in it. I eventually found out I had to de-register my secondary (which makes it standalone) and then upgrade it. I then had to convert the primary to a standlone and upgrade it. After this I re-joined them by making the primary a primary again, and then registering the secondary. The upgrade took about 30 minutes for each box. I found several issues/changes with the guest portal. For example I had customized the sponsor language template to format the print and email templates. I had put the
HTML type tags to insert some blank lines and these are no longer honored or processed. They now show up as text in the email or print. At least the print template now honors blank lines but the email template does not. In the email all the text is run together so it looks awful. I also tried customizing the built in guest portal by changing the login logo. No matter what size I make my logo it gets resized to 62x33 which results in it being very small and distorted.

joseph.neal@sal... Mon, 03/26/2012 - 11:53

We took the plunge last week because we needed the FIPS mode.  Let's just say this... it didn't go well.  It took a 5 days to get it back into functional shape, and I still have one major outstanding issue.

We have 4 nodes in a distributed deployment, 2 admin/monitor, and 2 policy nodes.  You cannot upgrade a node if it is distributed.

Here's what we finally figured out (we have no posture nodes at the moment):

1) BACKUP - This saved our butt, so make sure you do this.

2) Gather all certificates and private keys (assuming you aren't using self-signed certificates).  You will need these if you have to re-image a box.

3) De-register secondary admin node.

4) Upgrade (application upgrade )

5) Convert to primary node (from standalone)

6) De-register a policy node.

7) Upgrade.

8) Register with v1.1 admin node.

9) Repeat steps 5-7 for other policy nodes

10) Convert remaining 1.0 admin box to standalone.

11) Upgrade

12) Register as secondary node in 1.1 distributed deployment.

13) Make primary if required.

NOTE - We ran into several 1.1 issues.  After upgrading, we had one policy node which lost it's paid-for certificate (we exported them prior to upgrade).  However, it could not be loaded while registered to the cluster.  If standalone, the cert was fine.  Also ran into an issue where FIPS mode could not be enabled due to a certificate with <= 1024 bit security.  However, none of those certs were actually installed.  We ended up re-imaging the admin node to 1.04, restoring the backup, re-upgrading to 1.1, and this time all of those issues are gone (5 days after starting the upgrade).

NOTE 2 - The docs show using an SFTP repository to perform the upgrade.  Using SFTP, the upgrade took 2.5 hours (2 hours to transfer the file over).  We could backup over the SFTP repository in 10 minutes, for the same size file.  Changing the repository to HTTP caused the transfer to complete in 2 minutes (vs 2 hours).  I tested this on 3 systems.

We are still experiencing an issue where guest users get authenticated, but the user isn't actually allowed to go anywhere.  It looks like the controller isn't receiving an update from ISE saying the user authenticated properly.  The ISE logs show successful logins.

Bottom line, be ready for issues.  I'm sure the upgrade has been great for some people, but it's one of the most frustrating upgrades I have ever performed.  On the plus side, I have learned a lot about ISE.

joe

jjonessec1969 Mon, 03/26/2012 - 11:58

Lucky for me I had not gone to far in to the configuration, But i need have to move all of them to standalone before doing the upgrade to 1.1, one I had to wipe the configuration on and start from a fresh one to get it.

But I am all upgraded, and everything restored.

AD authentication for Admins was a nice addition and it works well

Jeff

yongkhang Thu, 03/29/2012 - 04:25

Hi all

My case is standalone role, trying to upgrade from 1.0.4.537 to 1.1

After reading on the release note, it did mention need to perform on-demand backup on ISE.

So did you guys did the on-demand backup? I try to do it but it did take a very long time on this process and end up nothing..

Any clue? can i skip this step ?

Thanks

Noel

sfenderson Thu, 03/29/2012 - 05:36

I did the backup and it worked fine. I defined a repository for an FTP server. I would not use a TFTP server for this as the backup can be large (mine was 570MB and I have hardly anything setup) and would take a very long time. Same goes for the upgrade, do not use TFTP as it will take a long time to copy the upgrade file uising TFTP. Make sure you do a backup before the upgrade as it seems some are having upgrade problems and need the backup.

joseph.neal@sal... Thu, 03/29/2012 - 05:36

Noel - I would NOT skip that step.  Considering how many issues we experienced, we had to go back to 1.04 and re-upgrade to v1.1 twice.  That backup was very useful.

A word of caution, the backups do not seem to save the certificate information of the non-primary admin node (if you're in a distributed deployment), so make sure you export all of the certs too.

If you have automated backups, then you might be able to skip it.

Perhaps you have an issue with your repository configuration?  The repository will need to be working in order to pull down the upgrade file anyway.

Joe

yongkhang Thu, 03/29/2012 - 06:19

oh yeah,

i manage to backup it (oracle RMAN ...), time consuming

But i am now stuck at "Running ISE Glo...... node is a STANDALONE..."

would this process last very long?

Cheers

Noel

joseph.neal@sal... Thu, 03/29/2012 - 06:32

Noel - Yes, that part takes quite awhile.  In my experience, on a 3395 appliance, the upgrade from 1.04 to 1.1 took approximately 36 minutes, from the beginning of the file copy (HTTP file copy), to the reboot.  Then you have another 5-10 minutes for it to reboot and be usable.  When using SFTP for file copy, it took about 2 hours and 30 minutes.

Joe

yongkhang Thu, 03/29/2012 - 06:39

hi joseph,

i don;t get it. I am using FTP to copy the file to ISE (i am using VM appliance).File is success copying and thing now is it only hang like this, at least 1hrs ++..

Does it consider fail on the upgrading?

brian.schultz@s... Thu, 03/29/2012 - 06:44

Yong,

This is normal.  Whatever you do, do not close your SSH window or you will have to reimage the server.  I had servers that took a couple of hours before they updated.  It depends on how big your endpoint database is.  There is no status indicator so you just have to let it sit and run until it completes.

Brian

SCOTT VOLL Thu, 03/29/2012 - 06:48

just be patient!

I wish there was some kind of indicator and download eg. mb/s how much downloaded, and status of upgrade.  Maybe that will come with 2.0 =)

Scott

yongkhang Thu, 03/29/2012 - 06:56

hi all,

thanks for everybody advice and encouragement, it's been the longest day is sitting in front of the desktop just to endlessly wating, now it pays!!

Thanks again, Noel

grey_death Thu, 05/10/2012 - 08:29

Ciao,

the upgrade tooks 1h30 on both nodes (done via FTP).

Lot of problems with Guest\Sponsor portal:

HTTP becomes HTTPS: TAC answer was

"They made a change to the access because of a security issue. There is no work around nor do they plan on changing it. I have talked to the developers and there is no plan to change it back."

Emails sent via Sponsor Portal: it seems like it doesn't support HTML tag anymore, so emails are quite unreadable.

SR to CISCO was opened and it is under investigation

Wireless Guest Portal: still remains unreadable on mobile devices.

SR to CISCO was opened and it is under investigation

By the way a lot of improvements were done (ie: the ability to choose redirection directly in the Policy Results page)

Ciao!

Luciano

Actions

Login or Register to take actions

This Discussion

Posted March 21, 2012 at 8:18 AM
Stats:
Replies:22 Avg. Rating:
Views:4555 Votes:0
Shares:0
Tags: upgrade, 1.1, ise
+

Related Content

Discussions Leaderboard