ISE ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz fails

Frank Lothar Weber · ‎07-30-2013

Hi, folks.

Anyone here who used "ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz" to upgrade his/hers ISE distributed deployment successfully ???

I have tried it, using the procedure described in the Cisco ISE Upgrade Guide 1.2, it already fails at Step 1: Upgrading the secondary Administration Node first:

- Data upgrade step 26/80, GuestUpgradeService(1.2.0.319)... Done in 0 seconds.

- Data upgrade step 27/80, ProfilerUpgradeService(1.2.0.319)... Done in 6 seconds.

- Data upgrade step 28/80, NetworkAccessUpgrade(1.2.0.326)... Done in 0 seconds.

- Data upgrade step 29/80, GuestUpgradeService(1.2.0.341)... Done in 4 seconds.

- Data upgrade step 30/80, NSFUpgradeService(1.2.0.344)... Done in 0 seconds.

- Data upgrade step 31/80, RBACUpgradeService(1.2.0.344)... .Done in 96 seconds.

- Data upgrade step 32/80, NSFUpgradeService(1.2.0.349)... Done in 0 seconds.

- Data upgrade step 33/80, AuthzUpgradeService(1.2.0.351)... Done in 0 seconds.

- Data upgrade step 34/80, RegisterPostureTypes(1.2.0.363)... ..........................Failed.

Rolling back the configuration database...

Starting application after rollback...

% Warning: Do the following steps to revert node to its pre-upgrade state.

-Register this node back to old Primary

error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1

% Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.

The running version is 1.1.4 with latest patch:

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.4.120

ADE-OS System Architecture: i386

Hostname: ise-worf

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version : 1.1.4.218

Build Date : Wed Apr 10 22:20:22 2013

Install Date : Fri May 3 19:16:05 2013

Cisco Identity Services Engine Patch

---------------------------------------------

Version : 1

Install Date : Wed May 29 08:16:58 2013

Cisco Identity Services Engine Patch

---------------------------------------------

Version : 2

Install Date : Mon Jun 10 05:29:21 2013

Cisco Identity Services Engine Patch

---------------------------------------------

Version : 3

Install Date : Wed Jul 17 08:45:02 2013

The script tells me to check the logs ... but for what ??? Local log file (sh logg) is packed with errors (java, eap, cert ...) .......

Contacting TAC for support is no option, because this is a test deployment only .....

The same thing also happens, when I switch both Admin nodes (switch the primary to secondary) and try to upgrade the "new" secondary ..

Any ideas ???

Marcin Latosiewicz · ‎07-30-2013

Frank,

You need to have root patch of some sort (TAC patch, root patch, rpssh) to access the logs

From my lab device:

[root@mlatosieISENBC logs]# pwd

/opt/CSCOcpm/logs

[root@mlatosieISENBC logs]# ls -la *20130729*

-rw-r--r-- 1 root gadmin 242780 Jul 29 13:12 isedbupgrade-data-global-20130729-125207.log

-rw-rw-rw- 1 oracle gadmin 5249 Jul 29 12:52 isedbupgrade-schema-20130729-124515.log

Those are the logs from my upgrade done yesterday.

M.

c.andrew · ‎07-30-2013

Out of interest, how did you even obtain this file?

We've purchased an ISE NFR license from the Partner Evaluation Software site

cisco.com/go/nmsevals and it's shipped with 1.1.1, on a USB stick (software and NFR license).

We can't download the file

ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz due to "additional entitlement" - so we are stuck with an outdated NFR version.

Ravi Singh · ‎07-30-2013

I think this is the reason; you are not able to upgrade it successfully. You need the below file for upgrading.

ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz

Frank Lothar Weber · ‎07-30-2013

That is exactly the file I used ......

Frank Lothar Weber · ‎07-31-2013

Little update:

The upgrade also fails (with same error) when trying to upgrade a freshly installed ise v1.1.4 Patch 1-3, (Secondary Admin Node only) which is also part of a distributed deployment ....

S M85 · ‎07-31-2013

Hi TS,

Did you upgrade your NFR the first time and later on the test on 1.1.4 patch 3 evaluation license?

Tarik Admani · ‎07-31-2013

Hi,

There is a bug realted to blank posture policies documented at the end of this thread.

https://supportforums.cisco.com/thread/2231046?tstart=0

Just for your reference, I was able to upgrade my instance by reimaging to 1.2 and restoring my 1.1.x backup.

Tarik Admani
*Please rate helpful posts*

lmediavilla · ‎11-19-2013

I have the same problem and the tac team recommended to do a fresh 1.2 install and restore the application backup from 1.1.4.

Naresh Ginjupalli · ‎11-19-2013

Frank,

There is a known defect CSCui58123 for this issue and here is the workaround to fix this issue and upgrade to go smooth.

In the below patch please check your requirement policy's conditions and set the valid condition for the policy which has "Select Conditions" option as shown below.

Policy > Policy Elements > Results > Posture > Requirements 
The requirement policy has a condition that is not set.  Shows "Select Conditions"

Even if you do a fresh install and restore the ISE 1.1.4 backup to ISE 1.2 you are prone to hit this issue. As this is related to data , the upgrade model of the data is one and the same when you restore the ISE 1.1.4 data backup to ISE 1.2 and when you trigger the upgrade on ISE 1.1.4.