I´m upgrading a distributed enviroment with 2 Administration/monitoring nodes and 2 as a Policy. I´m upgrading from 1.1.4 patch 6 to 126.96.36.1999
I´ve upgraded first the secondary administration node and then the both Policy servers. Now they are already in 1.2 version, but when I´m going to upgrade the primary server (still in v1.1.4) seems as if there where still any server without upgrade.
es-ise000/admin# application upgrade ise-upgradebundle-1.1.x-to-188.8.131.529.i386.tar.gz disk
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
% Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
STEP 1: Stopping ISE application...
% Warning: All secondary nodes should be upgraded and inline posture nodes should be de-registered before upgrading Primay PAP.
Starting application after rollback...
% Warning: The node has been reverted back to its pre-upgrade state.
error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
% Application upgrade failed. Please check logs for more details or contact Cisco Technical Assistance Center for support.
The servers are running in VMWare
This are the servers already upgraded to 1.2
This is from the primary administration server, still running 1.1.4
you must reimage and restore the configuration and operational backup depending on the personas enabled on the node originally. If you have to reimage the node , before you reimage it, ensure that you generate a support bundle by running the backup-logs CLI command and place the support bundle in a remote repository in order to help ascertain the cause of failure.
Moreover, please make sure that you perform the upgrade as described in the following link:
The final step in the upgrade of ISE 1.2 is to upgrade the primary Administration node to Cisco ISE, Release 1.2.
If the upgrade is success on this node then this node will be added to the new deployment as a secondary Administration node. You can promote the secondary Administration node to be the primary node in the new deployment. If you want to retain the secondary Administrative node from old deployment as your primary node, you must obtain a license that includes the UDI of both the primary and secondary Administration nodes.
In case if you want to make your primary Admin node from old deployment as a Primary node in the new ISE 1.2 deployment then just promote the node.
As you are facing difficulty in upgrading Primary Admin node from ISE 1.1.4 version to ISE 1.2 version you try the following steps.
-The safest way is to re-image the ISE Primary node es-ise000 to ISE 1.2 version and join to the deployment. Once the node is joined successfully and replication is done , you can safely promote the original primary node es-ise000 as your Primary ISE node in new ISE 1.2 deployment.
-The other way is to perform reset-config operation on the older Primary node and once it is done perform the upgrade operation and then register it back to the deployment of ISE 1.2 and then promote as Primary node once replication is completed.
Firewall Ports That Must be Open for Communication
The replication ports have changed in Cisco ISE, Release 1.2 and if you have deployed a firewall between your primary Administration node and any other node, the following ports must be open before you upgrade to Release 1.2:
TCP 2484—For communication between the primary administration node and monitoring nodes.
TCP 443—For communication between the primary administration node and all other secondary nodes.
TCP 12001—For global cluster replication.
Kindly follow the link below to verify the configuration.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...