https://community.cisco.com/t5/network-access-control/questions-about-ise-fail-over/m-p/3870941#M24795 <P>The default applies because it's based on the failed heartbeat timers.&nbsp; You can make the polling more aggressive to achieve a faster time to detection.&nbsp; Don't do it!&nbsp; &nbsp;Failover is not a fun topic.&nbsp; It causes processes to restart and ISE is not fast to restart.&nbsp; Let's say you innocently restart the active PAN processes because of a TAC case or whatever.&nbsp; If your polling is too aggressive, then the standby PAN could try to take over.&nbsp; What's the rush anyway?&nbsp; Failover in 30 minutes is more than enough in the greater scheme of things.&nbsp; When PAN is down then the worst thing that can happen is that you cannot create a new policy, or you cannot create a new Sponsored Guest, and things like that.&nbsp; In my books this doesn't constitute a need for fast failover.</P> <P>&nbsp;</P> <P>Manual fail-over only takes as long as the duration that is needed for the standby to restart its processes.&nbsp; &nbsp; So if you typically take 10 minutes to stop, and then start the application processes, then that is how long it will take from the time you manually promote the standby PAN.&nbsp; You do this on the Standby PAN GUI.</P> <P>You'll notice also that the previously active PAN node will also restart its processes.&nbsp; it's been a while but I believe that is still the case.</P> <P>&nbsp;</P> Tue, 11 Jun 2019 12:40:03 GMT Arne Bier 2019-06-11T12:40:03Z https://community.cisco.com/t5/network-access-control/questions-about-ise-fail-over/m-p/3870719#M24790 <H3>Automatic Failover to the Secondary PAN</H3><P class="p">You can configure ISE to automatically the promote the secondary PAN when the primary PAN becomes unavailable. The configuration is done on the primary administrative node (Primary PAN) on the<SPAN>&nbsp;</SPAN><SPAN class="ph menucascade"><SPAN class="ph uicontrol">Administration</SPAN><SPAN>&nbsp;</SPAN>&gt;<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">System</SPAN><SPAN>&nbsp;</SPAN>&gt;<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">Deployment</SPAN></SPAN><SPAN>&nbsp;</SPAN>page. The failover period is defined as the number of times configured in<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">Number of Failure Polls Before Failover</SPAN><SPAN>&nbsp;</SPAN>times the number of seconds configured in<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">Polling Interval</SPAN>. <STRONG>With the default configuration, that time is 10 minutes.</STRONG> Promotion of the secondary PAN to primary takes another 10 minutes. So by default, the total time from primary PAN failure to secondary PAN working is 20 minutes.</P><P class="p">&nbsp;</P><P class="p"><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_22_chapter_010.html#ID330" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_22_chapter_010.html#ID330</A></P><P class="p">&nbsp;</P><P class="p">&nbsp;</P><P class="p">I am reading an article on ISE fail over.</P><P class="p">&nbsp;</P><P class="p"><STRONG>What does the default configuration in bold mean?</STRONG></P><P>&nbsp;</P><P>The document states that Auto Fail over takes a total of 20 minutes.</P><P>&nbsp;</P><P><STRONG>Does Manually Fail over also take 20 minutes?</STRONG></P><P class="p">&nbsp;</P><P class="p">&nbsp;</P> Tue, 11 Jun 2019 07:04:57 GMT https://community.cisco.com/t5/network-access-control/questions-about-ise-fail-over/m-p/3870719#M24790 JustTakeTheFirstStep 2019-06-11T07:04:57Z https://community.cisco.com/t5/network-access-control/questions-about-ise-fail-over/m-p/3870941#M24795 <P>The default applies because it's based on the failed heartbeat timers.&nbsp; You can make the polling more aggressive to achieve a faster time to detection.&nbsp; Don't do it!&nbsp; &nbsp;Failover is not a fun topic.&nbsp; It causes processes to restart and ISE is not fast to restart.&nbsp; Let's say you innocently restart the active PAN processes because of a TAC case or whatever.&nbsp; If your polling is too aggressive, then the standby PAN could try to take over.&nbsp; What's the rush anyway?&nbsp; Failover in 30 minutes is more than enough in the greater scheme of things.&nbsp; When PAN is down then the worst thing that can happen is that you cannot create a new policy, or you cannot create a new Sponsored Guest, and things like that.&nbsp; In my books this doesn't constitute a need for fast failover.</P> <P>&nbsp;</P> <P>Manual fail-over only takes as long as the duration that is needed for the standby to restart its processes.&nbsp; &nbsp; So if you typically take 10 minutes to stop, and then start the application processes, then that is how long it will take from the time you manually promote the standby PAN.&nbsp; You do this on the Standby PAN GUI.</P> <P>You'll notice also that the previously active PAN node will also restart its processes.&nbsp; it's been a while but I believe that is still the case.</P> <P>&nbsp;</P> Tue, 11 Jun 2019 12:40:03 GMT https://community.cisco.com/t5/network-access-control/questions-about-ise-fail-over/m-p/3870941#M24795 Arne Bier 2019-06-11T12:40:03Z https://community.cisco.com/t5/network-access-control/questions-about-ise-fail-over/m-p/3871136#M24796 Thanks arne, you can also look at BRKSEC-3432 and the other performance and scale overview at <A href="https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-118574828" target="_blank">https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-118574828</A> Tue, 11 Jun 2019 16:59:26 GMT https://community.cisco.com/t5/network-access-control/questions-about-ise-fail-over/m-p/3871136#M24796 Jason Kunst 2019-06-11T16:59:26Z