Anyone upgrade ISE to 1.1 yet?

Has anyone upgraded to 1.1 on ISE?
How did the upgrade go?  Any issues?  How long did it take?
TIA
Scott

We took the plunge last week because we needed the FIPS mode.  Let's just say this... it didn't go well.  It took a 5 days to get it back into functional shape, and I still have one major outstanding issue.
We have 4 nodes in a distributed deployment, 2 admin/monitor, and 2 policy nodes.  You cannot upgrade a node if it is distributed.
Here's what we finally figured out (we have no posture nodes at the moment):
1) BACKUP - This saved our butt, so make sure you do this.
2) Gather all certificates and private keys (assuming you aren't using self-signed certificates).  You will need these if you have to re-image a box.
3) De-register secondary admin node.
4) Upgrade (application upgrade )
5) Convert to primary node (from standalone)
6) De-register a policy node.
7) Upgrade.
8) Register with v1.1 admin node.
9) Repeat steps 5-7 for other policy nodes
10) Convert remaining 1.0 admin box to standalone.
11) Upgrade
12) Register as secondary node in 1.1 distributed deployment.
13) Make primary if required.
NOTE - We ran into several 1.1 issues.  After upgrading, we had one policy node which lost it's paid-for certificate (we exported them prior to upgrade).  However, it could not be loaded while registered to the cluster.  If standalone, the cert was fine.  Also ran into an issue where FIPS mode could not be enabled due to a certificate with <= 1024 bit security.  However, none of those certs were actually installed.  We ended up re-imaging the admin node to 1.04, restoring the backup, re-upgrading to 1.1, and this time all of those issues are gone (5 days after starting the upgrade).
NOTE 2 - The docs show using an SFTP repository to perform the upgrade.  Using SFTP, the upgrade took 2.5 hours (2 hours to transfer the file over).  We could backup over the SFTP repository in 10 minutes, for the same size file.  Changing the repository to HTTP caused the transfer to complete in 2 minutes (vs 2 hours).  I tested this on 3 systems.
We are still experiencing an issue where guest users get authenticated, but the user isn't actually allowed to go anywhere.  It looks like the controller isn't receiving an update from ISE saying the user authenticated properly.  The ISE logs show successful logins.
Bottom line, be ready for issues.  I'm sure the upgrade has been great for some people, but it's one of the most frustrating upgrades I have ever performed.  On the plus side, I have learned a lot about ISE.
joe

Similar Messages

  • Anyone upgrade to Snow Leopard and runs CS3 or CS4?

    Hi all. I'm looking to upgrade my Mac from tiger to snow leopard, but I wanted to make sure there weren't any problems beforehand. Has anyone upgraded to Snow Leopard? Have you had any problems running CS3 or CS4 since?
    Thanks.

    Works fine for me on a 2008 unibody MBP. Only a couple bugs that I can live -- neither affect workflow or CS4 functionality.
    A) As with Leopard, some programs have an issue with closing. About half the time when you close Ai or Dw the program closes fine -- then it tells you it crashed. A bit annoying, but I just go ahead and send the error report, dosent affect much, although if you've changed any preferences they might get lost. Adobe's prob gotten several hundred crash reports from me on that one :∫
    B) Occasionally when you switch from one app to another and you try to go back it only will switch only when you click the icon on the bottom -- otherwise the app you want will just switch back to the other app -- I think it's a snow leopard bug, but seems to affect Flash and AE. Very rarely however.
    I've been using Snow Leopard w/ CS4 since release day for prob 14 hours a day 6 days a week and these are my observations.
    Go for it dude, you'll love 10.6 -- Use CCC before that way if it's not functioning properly you can aways go back.
    It should be noted, I have not tested any third party plug-ins yet. After Effects by itself 9.0.2 has no issues that I can tell.

  • Has anyone upgraded the Ironport ESA to 8.5.6-074 and had the issues of Raid status showing unknown?

    Has anyone upgraded the Ironport ESA to 8.5.6-074 and had the issues of Raid status showing unknown? After we upgraded our appliances we are having issues with our ESA appliances showing the RAID status as unknown. When we reported the issue to CISCO we were updated there were no issues reported at all. Could anyone please confirm if you have experienced the same issue. 

    You should see OPTIMAL - meaning the drives in the C170 are in good health/status:
    myc680.local> version
    Current Version
    ===============
    UDI: C680 V FCH1611V0B2
    Name: C680
    Product: Cisco IronPort C680 Messaging Gateway(tm) Appliance
    Model: C680
    Version: 8.5.6-074
    Build Date: 2014-07-21
    Install Date: 2014-07-29 11:16:34
    Serial #: xxx-yyy1611Vzzz
    BIOS: C240M3.1.4.5.2.STBU
    RAID: 3.220.75-2196, 5.38.00_4.12.05.00_0x05180000
    RAID Status: Optimal
    RAID Type: 10
    BMC: 1.05
    There are times post-reboot, that you'll see and get notification of RAID sub-optimal --- meaning that the appliance is running through on a health-check of the appliance's RAID.  You should be getting a notification once RAID status has returned to OPTIMAL, or as per the older OS revisions, READY:
    myc170.local> version
    Current Version
    ===============
    UDI: C170 V01 FCH1428V06A
    Name: C170
    Description: Cisco IronPort C170
    Product: Cisco IronPort C170 Messaging Gateway(tm) Appliance
    Model: C170
    Version: 7.6.3-019
    Build Date: 2013-06-09
    Install Date: 2014-09-12 13:52:24
    Serial #: xxxxxxD87B39-yyyyyy8V06A
    BIOS: 9B1C115A
    RAID: 02
    RAID Status: READY
    RAID Type: 1
    BMC: 2.01

  • Sponsor Portal after upgrade ISE 1.2 - 1.3

    Hi,
    After upgrade ISE to version 1.3 I can't access to Sponsor Portal via ://ISE_IP:8443/sponsorportal/ as it was done in version 1.2 (error: [ 404 ] Sponsor Portal Resource Not Found. The resource requested cannot be found). I have to open it through ISE (Guest Access -> Configure -> Sponsor Portals -> Sponsor Portal (Default) -> Portal test URL). But then in address bar i can see the exact same address i tried to reach (://ISE_IP:8443/sponsorportal/) but it works.
    I deleted migrated portal from version 1.2 and now using only default one. Should I additionally activate it somewhere after this upgrade?

    Nice to hear that. I just want to add something to take into account:
    When you create the CSR directly from ISE, the documentation says for version 1.2 that you need minimum CN field. I did it and then I started having issues with Chrome Browser/ChromeBook which was triggering a certificate warning even though I had signed it with the correct CA Server and I had the Trusted Certificate Authority included in the browser list.
    When I was using 1.1.3, I did not have that problem when using ISE internal CSR feature and only using Common Name (CN) for the CSR.
    I tried using Openssl as usual to create the CSR for ISE running 1.2. Signed and imported it into the ISE and the problem was solved. I am using like you FQDN in the WLC URL Redirect on LWA or CWA with the corresponding entry into the DNS. One important thing I found is that openssl uses some additional fields which I included in the CSR and I think after reviewing the ISE 1.2 documentation we need to include those as well in the ISE CSR feature. Looks like also there is a sequence/order for those fields in the ISE when creating the ISE CSR. The list is the following:
    countryName       = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName  = optional
    organizationalUnitName  = optional
    commonName        = supplied
    emailAddress            = optional
    Finally, with Openssl I could create as well SAN Certificates and I included the IP of the PSN , PAN and MNT ISE's so I would not need the DNS Entry. This feature was added on version 1.2 of the ISE which helps a lot. I will give it a few more testing since that I have a lab deployment with 5 ISE's (PAN, MNT and 3 PSN's).

  • Has anyone upgraded their iMac8,1 memory to 6 GB?  How did it work?

    Has anyone upgraded their iMac8,1 memory to 6 GB?  How did it work?  Any problems?  Did you notice an increase in speed?  Who did you buy the memory from?

    See this Discussion
    rkaufmann87 gave a pretty good reply to you.

  • Has anyone upgraded your MacBook Air SSD? Is it possible?

    Just out of curiosity, Can you upgrade your SSD? Have any of you upgraded your SSD in your Mid 2012 MacBook Air? If so, what did you use and how much can the 2012 Air SSD take?
    THANKS

    This is what I found below on the OWC site. My Macbook Air is 5,2 and it says that it is compatible.  I checked the video and looks pretty straight forward. I am just looking for what people's experiences were and what the outcome was... Has anyone upgraded their SSD to 1TB? Good or bad idea?

  • Is it safe to upgrade to OSX Mountain Lion yet?

    Is it safe to upgrade to OSX Mountain Lion yet?

    Yes, it is. But not all 3rd party plugs are compatible yet and fail AU validation.

  • Anyone upgraded Linux OS and Oracle to 64BIT? - How to?

    Anyone upgraded their nodes in their cluster from 32 bit OS to 64 bit - and also upgraded their 32 bit oracle 10.1.0.5 to 64 bit 10.2.0.2?
    Anyone have a good draft on how to complete this task?

    I haven't did this one.
    You need to install fresh instead upgrade as the Oracle binaires will be different for 32 and 64. Database file conversion, you may rman. I believe, rman have some option to convert different OS bit format.
    Ashok

  • Does anyone upgrade from 9iAS to 10g?

    Dear all,
    Does anyone upgrade from 9iAS to 10g only? The EBS version (11.5.8) and the oracle database version (9.2.0.4) are still same.
    Best Regards,
    Amy

    You can upgrade 9i database to 10g in Ebusiness suite using metalink note
    Note:362203.1 Oracle E-Business Suite Release 11i with Oracle Database 10g Release 2 (10.2.0)
    Note:369693.1 Using Oracle Applications with a Split Configuration Database Tier on Oracle 10g Release 2
    But for the application server components you can follow
    Note:125767.1 Upgrading Developer 6i with Oracle Applications 11i
    But Application server itself should be upgraded from 9iAS to 10gAS if you are planning to move your oracle applications Ebusiness suite to release 12.
    Check the following metalink note
    Note:403339.1 Upgrade R11i to R12
    Sami Malik

  • Upgrade ISE 1.1.X

    Hi
    I have ISE 3315-K9 version 1.1.1.268
    I need to upgrade to version 1.2
    I read this post where he explain how to move from 1.1.3 patch 3 to 1.2
    https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
    But I would like to know how to upgrade 1.1.1.268 to 1.1.3 patch 3
    Thanks in advance for your help

    You can download ise-appbundle-1.1.3.124.i386.tar.gz to upgrade to 1.1.3 and the apply the latest patch for 1.1.3 (patch 8).
    Or you can apply the latest patch to your version 1.1.1 (patch 7) and then use this file ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz to upgrade to 1.2 directly.
    First, you have to have an FTP server (easiest to configure) and then configure a repository on the ISE.  the easiest way is therough the WebGUI by going to Administration > Maintenance and clicking on Repository on the left side menu.
    Click Add. Fill out the configuration for the FTP Server and click Submit.
    Then go to Administration > Backup & Restore and be sure to perform at least a Configuration Backup.
    Log in to the CLI in enable mode.
    Enter this command:
    application upgrade ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz <> (this is the name you set up for the repository created above)
    Your ISE WILL reboot.
    Once this is complete, log back in to the WebGUI and verify the install.  You can then go to Administration > Maintenance and choose Patch Management from the left menu to upload and install Patch 3 to the v1.2 install.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Have anyone upgraded Red Hat Linux AS from 4.4 to 4.6 of EBS11510.2(CU2)?

    Hi,
    Have anyone upgraded Red Hat Linux AS from 4.4 to 4.6 of EBS11510.2(CU2)?
    Please advice any issue/concerned etc?
    Thanks,

    You need to relink all binaries after an OS Upgrade to ensure that everything is working as expected.
    - Take a backup of the application/database
    - Upgrade the OS
    - Relink all binaries
    - Start up the application/database
    - Take another backup once you confirm that everything works properly
    Note: 356878.1 - How to relink the whole Applications 11i Installation
    https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=356878.1
    Note: 131321.1 - How to Relink Oracle Database Software on UNIX
    https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=131321.1
    Note: 407055.1 - Process To Upgrade the Operating System and Oracle Database Server
    https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=407055.1

  • Has anyone gotten the new Iphone 5 yet

    Has anyone received the new Iphone 5 yet in the preorder?  I paid for mine on the prerder date and I still have no tracking number.

    Pat,
    Go to UPS website and clicl on "more options" under the tracking box.
    Then, click on "Track by reference"
    enterthe phone number Apple has on your account or enter your Apple order number but leave out the last two digits.  (Include the "W" at the beginning of the number)

  • Anyone find the drop shadow tool, yet, in 10.0.6?

    Anyone find the drop shadow tool, yet, in 10.0.6?

    its in Effects or Generators or one of those. You drop it onto a clip.
    adam

  • Anyone got an "Out For Delivery" yet?

    Just out of curiousity I called CS to inquire.  Since lots of people have gotten tracking #'s and I haven't even got a "shipped" email yet.
    She went to give me my tracking # and it wasn't showing up.  So she checked with her "Supervisor" and said that it hasn't even left the warehouse yet.    She said no one's pre-order will leave the warehouse and I should expect delivery on the 10th.  I wasn't going to argue with her because that won't get my phone here any faster.
    My bank account has not been charged yet, but the 3 cases I bought on ebay yesterday afternoon have cleared the account. 
    She promised me I do have a phone coming, so maybe the are waiting to charge my account til it ships, which is different than others I know, but whatever.
    Just curious if anyone has an "Out for Delivery" yet today?

    twinmom05 wrote:
    I dont have an OUt for Delivery but when I track it on UPS it sais origin scan in memphis last night around 6 pm, then it was departure scanned out of memphis at 6 this morning, then it arrived in louisville at 9 and departure scanned again at 10. ??? I called UPS and the lady said it should be delivered today since it was sent next day air yesterday.
    What are your ??? for?  Do you not realize that everytime the phone changes legs of its deliver there is an arrival scan and a dparture scan?  That means your phone went from memphis to louisville, sat at louisville for an hour then was placed on a different truck to go out to the nex stop/delivery.

  • Anyone upgraded their gx60 hitman edition?

    Well I have had my gx60 hitman edition for a couple of months now and I love it MSI has a customer for life here. I also had a MSI gx630 before this which i hold a over clock world record with I got it to 2.65 GHz on air. but this brings me to my point has anyone upgraded their gx60. the single channel ram is killing me I think the system would be much more responsive in dual channel mode. also I plan on putting a ssd in for a boot drive and to put my more demanding games on. but I was just wondering before I void the warranty if any one has already upgraded and what kind of performance gains did you get? Also is there anyway to over clock the 5750m I can't find a way?  P.S. did everyone get a free mouse because I didn't :(

    Quote from: farzulnizam;49140
    So u're suggesting that gx60 user should upgrade their DDIM for a better gaming performance? Is is true gx60 is weak in cpu? Rts and mmos are not compatible with gx60
    Dual-channel will squeeze some more juice from the CPU...Low latency RAM would also squeeze a little bit more...but the improvements will not be so much until you suddenly get 40-50 fps from 20fps...
    To put things to perspective, a10-5750m is weaker than ivy bridge i5, and about 3x slower than haswell i7...It is the compromise that one has to make when picking GX60...i7+mid range GPU or AMD + high end GPU...
    it is not that GX60 is not compatible with RTS and MMO..it is just so happen that RTS and MMO demand much more CPU power than say first person shooter...a lot of cpu power is needed to render the units and environment

Maybe you are looking for

  • Satellite T230 and Windows 8 compatibility

    Hello, My Satellite T230 (PST4AE) is not listed on Windows 8 compatibility's page. Is it not compatible at all?

  • Cannot find Fiori Backend Role

    Dear expert, I'm implementing Fiori wave 2 Leave Request Approval and Purchase Order Approval for customer. The customer is using ERP EHP6, thus we installed GBAPP002 and GBHCM003 on the backend. Both the components are at the latest patch. However c

  • I purchased an itunes giftcard three years ago and the code is not working

    we have tried multiple times to redeem this card and it is reading invalid please help

  • STO- Depot to Plant with Transfer of cenvat credit

    Dear All, I am having a scenario in which i am procuring capital material for depot and it lies in depot. Now the material is no use in depot and i want to transfer that material from depot to manufacturing Plant. and want to take the cenvat credit i

  • CANON PIXMA MX397 SUPPORT CODE 5B02

    pls help me with my canon printer pixma mx397...at first, it said that ink waste pas was full so i just clicked the ok button on the machine. but when i tried  nozzle check or deep cleening, it said "Printer error has occurred. support code 5B02" how