Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE 1.2 Patch 6 --> 8 Update failed

Hi all,

 

I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.

 

Important notice : I though that this error could be an unlucky try but i've tested the update two time.

 

Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.

 

The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.

 

On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)

 

The symptoms after this error are :

 

- Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)

- The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)

- GUI Unavailable

- MAB Auth is working

- Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)

- Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(

 

The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.

 

My big interrogation is that on my two other deployment, the patch was successfull and quick to process.

 

Thanks for your help.

Everyone's tags (6)
3 REPLIES

Patch installation

Patch installation guideline

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_admin.html#pgfId-1259408

New Member

This is that i did abviously.

This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :

2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...

2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...

2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.

2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im

pl/StaticLoggerBinder.class]

2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.

8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]

2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.

2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).

2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.

 

Cisco Employee

Hi,Do you have CRL checking

Hi,

Do you have CRL checking enabled for your certs? If so can you set the run-time AAA and prrt-jni components to debug and pull a prrt.log* ?

If you see a lot of CRL related errors for EAP-TLS sessions after the patch upgrade, you may be hitting 

CSCuj36104  ISE does not allow CRL when the name is the same on 2 CA

This was found recently for one the customers whose PSN's stopped processing EAP-TLS authentications after upgrading from patch6 -8.

Going to patch 7 would be a good workaround if you have CRL's enabled . 1.2.1 will have the fix for this issue.

 

 

871
Views
0
Helpful
3
Replies
CreatePlease login to create content