Well, there are couple of bugs which we can hit but nothing as such to prevent them. Once we hit it , we solve it.
Please read the Release Notes for Cisco Secure ACS Solution Engine 4.0 to know about known issues.
Andrew, have you done your upgrade yet. We are trying to upgrade a 1112 to 188.8.131.52 using the recovery disk. No luck so far SE hangs after we have put in the initial configuration and rebooted it. We have found out that the host name has limited character length, also DNS seems to cause a issue, this gets us past the hanging, but leads to authentication processing issues.
If we use the 3.3.3 recovery disk again its ok. Thanks.
Haven't done it yet. Need to schedule downtime with our customer, probably next couple of weeks.
The version we have on our recovery CD is 184.108.40.206, a little older than yours. Hope it works better!
Once I've done it (or not) I'll post here.
ACS 3.3.3 to 4.1 Upgrade
The ACS SE 3.3.3 to 4.1 upgrade package includes the ACS SE 3.3.3 Upgrade CD. Use this CD to upgrade ACS 3.3.3 running on the Cisco 1111 platform or the Cisco 1112 platform to ACS 4.1.
Please make sure that the recovery cd you have is intended for the same ACS appliance hardware platform.
Thanks for the reply.
Our 1112 started life on 3.3.3, so we then applied the 3.3.3 to 4.1 upgrade which worked fine and allowed us the archive the database. We then used the 1112 recovery CD to restore the SE. This failed.
The recovery CD was supplied by TAC, ie published to us on CCO, we then create a image from 3 files suuplied. TAC have confirmed that its the correct software.
We are at a loss, as 3.3.3 works ok.
Thanks for the reply.
We have a TAC case open on this now.
This 1112 will not upgrade to any version of 4.x.
We have managed to get through some of the original hurdles by making sure the host name is 15 characters or less and when standalone the DNS servers are not specified.
When re-imaged with 4.1 and 4.0 the 1112 trys to act as a proxy authenticator due to a rogue 169.x.x.x address being configured in its DB, along with its true address. TAC have given us a work around to remove the 169 address however when powered down and rebooted the 1112 looses its IP setings. Re-image with 4.0, same thing happens but it does not loose its IP settings.
I think have to get the unit replaced.
Thanks to all for your contributions, a couple of useful points in there : ) We've scheduled the upgrade with our customer for the 19th March. Watch this space.....
Andrew, Make sure you do a backup and have a working copy of the 3.3.3 recovery disk.
Our 1112 still failed to upgrade to 4.0.
I will update this as we are going to swap out the unit.
Not sure if you have done your upgrade, but this is the results from ours:-
1. Always re-image with NIC1 attached to any network, otherwise if not connected, powering down and up the appliance will likely cause the loss of all IP config details, and the CLI prevents you from re-adding them.
2. The appliance creates a proxy entry of address 169.x.x.x, and trys to forward all authentication requests to this address. The hostname programed at setup time is assigned to this address, while an entry called Deliverance1 is assigned to the address that you used during setup. This is a bug, due to the Windows IP stack. The workaround is to edit the proxy distribution table, and swap entries around, this allows you to delete the 169.x.x.x address.
Thanks for the tip, I've run into this one myself : ) Took a looooong while to figure that one out.
Our upgrade is scheduled for Monday and I'll report back here when it's done. Fingers crossed!
On site to do the upgrade, I find that the CD kit (CSACSE-4.0-SWUP-K9) doesn't include the "Upgrade Package Appliance Management Software" so I'm stuck! URGENT ASSISTANCE REQUIRED!!! I can't find anywhere on CCO I can download it, is there something missing from the kit?
TAC can let you download the Upgrade package. Open a TAC case with contract number/serial number of the appliance/purchase order number/sales order number.
I'm trying to do this at present but it looks like we will have to image the appliance with v 4 software and rebuild the config due to time constraints.
I am *really* not amused that all the required software is not in the box.
Rather than opening a TAC case and using one of your credits, contact firstname.lastname@example.org. They will open a TAC case and post the software for you.
We had the same issue, in our case we had the upgrade, but no re-image software.
Once you have upgraded you need to patch the platform. Little issue there as well, for every patch you apply from your PC, stop the web server afterwards otherwise it tries to apply the patch that you have just done.
Upgrade complete, after a fashion. In the end we just went for a "don't preserve settings" upgrade by imaging the box with the 4 recovery CD which was included in the upgrade kit. That went OK ...... at the second attempt and we then rebuilt the config manually.
I am still amazed that Cisco can ship an upgrade kit that doesn't include all the required components. I may well have been able to open a TAC case to get access to them but why should I do that? The customer has bought and paid for the upgrade kit so everything required should be in the box. I searched every CD in the box and it wasn't there. Anyone from Cisco care to comment?
Without wishing to appear bitter and twisted, a final word or two on the subject:
This upgrade was originally planned to take place in late December 2006. Problem 1; we couldn't get the upgrade kit in time, apparently a 6 week lead time wasn't enough for Cisco to come up with the kit.
Problem 2; as described above, kit apparently incomplete. Granted one solution might be to open a TAC case and get the missing bit posted for download BUT let's have a think about the job we're doing. This is a critical system, downtime is VERY limited. I had a 3 hour drive to site plus specially arranged downtime so I don't have much time or the option of hauling off and coming back the next day so you can imagine my delight at finding the kit was incomplete. Further, the time neeeded to raise the TAC case and go through all the hoops simply wasn't there. Luckily I had documented the original config (as well as backing it up and imaging the box) beforehand so was able to follow the path I finally chose. Had this not been possible I would have been left twisting in the wind ..... by Cisco.
My final advice to those carrying out this task, allow plenty of time to source the kit in the first place. Once you have the kit, read the upgrade instructions and verify you have ALL the software needed (note to Cisco; seems I'm not the only one to have received an incomplete kit). In addition, take careful note of the other tips very kindly listed above by others, many thanks guys for your input.
We attempted the upgrade using the 220.127.116.11 disk this past weekend with itentical results. Did you ever get a resolution? We opend a TAC case but they have not been able to re-create the problem.