Cisco ISE · Security

Installing ISE 2.3 on ESXi 6.x

We’ve just had quite the head scratcher trying to install the ISE 2.3 OVA on ESXi 6.5 and figured we won’t be the only ones.

Tl;dr – Convert the OVA to VMX then convert that VMX to OVF. Do not go directly from OVA to OVF.

The OVA can’t be deployed as.. an OVA

Yep. The install file provided by Cisco needs to be converted to a different format in order to work with VMware i.e. OVF.

The error message when attempting this:

3.5: ATTRIBUTE_REQUIRED: Attribute “id” is required.

3.5: ATTRIBUTE_REQUIRED: Attribute “href” is required.

15.3: ATTRIBUTE_REQUIRED: Attribute “id” is required.

Screenshot_1

To be fair this is partly documented by Cisco but it doesn’t clear much up on what to do next.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23_chapter_011.html?bookSearch=true

The ISE 2.3 OVA templates are not compatible with VMware web client for vCenter 6.5. As a workaround, use the VMware OVF tool to import the OVA templates.

Download VMware OVF Tool

https://www.vmware.com/support/developer/ovf/

For ISE 2.3 on to ESXi 6.5 I used OVF Tool version 4.2

You can convert directly from OVA to OVF but we encountered the error below after doing this and importing to ESXi. A senior colleague saved my bacon by saying they’d had luck going from OVA to VMX then to OVF.

4:5: PARSE_ERROR: Parse error: Unexpected character ‘.’ (code 58) (missing namespace prefix?) at [row,col,system-id]: [4,11,”descriptor.ovf”].

Screenshot_2

Convert OVA -> VMX

  1. Install the OVF Tool
  2. Place your OVA somewhere easily accessible (C:) and open up elevated command prompt.
  3. Navigate to cd C:\Program Files\Vmware\Vmware OVF Tool
  4. Initiate the executable in the format ovftool.exe “source file” “destination file” e.g. ovftool.exe “C:\ISE-2.3.0.298-virtual-SNS3415-600.ova” “C:\ISE-2.3.0.298-virtual-SNS3415-600.vmx”
  5. The above will convert from the OVA to the VMX in the same directory of C:

Screenshot_4

 

Once complete you will see both the original OVA and the two new VMX/VMDK files

Screenshot_6

 

Convert VMX -> OVF

Now that VMX can be converted to OVF. Note you can choose not to use the quotations like in this example as long as there’s a space between source and destination. I created an OVF directory so that it didn’t overwrite any files during this process.

ovftool.exe C:\ISE-2.3.0.298-virtual-SNS3415-600.vmx C:\OVF\ISE-2.3.0.298-virtual-SNS3415-600.ovf

 

 

You will end up with three files in your OVF directory and the OVF can be used for the import to ESXi.

 

Import to ESXi

This time there is no error on the import and the resources are automatically filled out via the OVF template.

Screenshot_3

Additional Note Feb 2018 from Frank (comments below):

“When deploying in VMware, I needed to select both the converted OVF-file and the VMDK-file. When selecting only OVF-file, VMware said that files where missing.”

 

Advertisements

16 thoughts on “Installing ISE 2.3 on ESXi 6.x

  1. When deploying in VMware, I needed to select both the converted OVF-file and the VMDK-file. When selecting only OVF-file, VMware said that files where missing.

  2. I had the issue with version 2.1 as well and this resolved it for me. I just wanted to add that if a separate directory is not specified for the ovf files and it does try to overwrite the files it may error out with something like this:

    ovftool.exe C:\ISE-2.1.0.474-mini.vmx C:\ISE-2.1.0.474-mini.ovf
    Opening VMX source: C:\ISE-2.1.0.474-mini.vmx
    Opening OVF target: C:\ISE-2.1.0.474-mini.ovf
    Writing OVF package: C:\ISE-2.1.0.474-mini.ovf
    Transfer Failed
    Error: Output file C:\ISE-2.1.0.474-mini-disk1.vmdk already exists. Use overwrite flag to delete it.
    Completed with errors

    Using a separate directory as mentioned in the steps above for the ovf resolves the error. so the syntax I used should have used is:
    ovftool.exe C:\ISE-2.1.0.474-mini.vmx C:\ovf\ISE-2.1.0.474-mini.ovf

  3. Many Thanks for sharing this, i wonder how did you worked it out.
    Im getting 1 error while converting from ova to vmx

    C:\Program Files\VMware\VMware OVF Tool>ovftool.exe “H:\VMX\ISE-2.3.0.298-virtual-eval.ova” “H:\VMX\ISE-2.3.0.298-virtual-eval.vmx”
    Opening OVA source: H:\VMX\ISE-2.3.0.298-virtual-eval.ova
    The manifest validates
    Opening VMX target: H:\VMX\ISE-2.3.0.298-virtual-eval.vmx
    Warning:
    – Line 79: Unable to parse ‘enableMPTSupport’ for attribute ‘key’ on element ‘Config’.
    Writing VMX file: H:\VMX\ISE-2.3.0.298-virtual-eval.vmx
    Disk progress: 100%

    1. Hey,

      I actually cannot claim credit for this. A colleague suggested it originally last year and I just made sure it was blogged because there’s so little info regarding it! As to your error I cannot assist a whole lot as I am not great with vmware. I would run it in elevated privileges if not already (cmd prompt) and try different versions of the conversion tool.

      Also double check the hash on your ISE file matches the one Cisco have and it isn’t corrupt.

      Cheers,
      Ric

    2. Hi Jamshed,

      I got the same error, even with the actual SNS3515 OVA. Did you find a solution for that issue?
      Regards

  4. BTW, did you write any blog on how to Install ISE 2.3 ovf on VMware esxi 6.5
    I could find any good blog like you did on this page, step by step, please let me know.
    Many thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.