topic Removing last PSN from cluster in Network Access Control

Removing last PSN from cluster

dgaikwad — Thu, 04 Jul 2019 13:05:16 GMT

Hi Experts,

In my lab I had setup and entire dsitributed cluter with one each of the nodes (Primary and secondary PAN, primary and secondary Motioning, and a PSN)
Now when I tried to remove the primary monitoring node (after removing the secondary monitoring), an error was thrown, stating that there needs to be at least one monitoring node in the cluster.
But, when I removed the the only PSN from the cluster, there was no such error or warning given?!
Is this something by design? Or am I doing something wrong?
It all stems to the lab that I have setup and noticed this, not sure if this by design or if missing out on something?

Re: Removing last PSN from cluster

Surendra — Thu, 04 Jul 2019 14:00:51 GMT

This is by design. Since PAN/PSNs do not have a logging capability of their own, there needs to be a Monitoring node in the deployment as it is completely off loaded to the MnT Persona and that there can be only 2 monitoring nodes in a deployment. Even if you do not have a PSN, you can use PxGrid services of a node just subscribing and publishing data. I know that this is not a perfect answer but partially explains the need not do so.

Re: Removing last PSN from cluster

Damien Miller — Thu, 04 Jul 2019 20:42:04 GMT

Keep in mind that you can run all ISE roles/personas on a single node if you want to do so. I wouldn't recommend a single node deployment in production, but I regularly use a single node for lab purposes.

Re: Removing last PSN from cluster

RaffyLindogan — Fri, 05 Jul 2019 04:24:40 GMT

Hi mate,

The reason for this is that ISE doesn't have a concept of Primary or Secondary PSN.

It is the NAD that dictates which ISE to go to first as primary or secondary.

If you check on the ISE Deployment, The "Roles" of PRI - primary or SEC - secondary is for (A) - admin or (M) - monitoring.
You will never see that on PSN Role.

Cheers,

Raffy

Re: Removing last PSN from cluster

dgaikwad — Mon, 08 Jul 2019 08:03:01 GMT

If there are no other PSN in the cluster, then in that scenario, it is possible for the PAN to process the authentication requests?

If the NAD is pointed to the PAN in the cluster?

Re: Removing last PSN from cluster

hslai — Wed, 10 Jul 2019 16:32:32 GMT

Yes, if the admin node(s) enabled with session services.

Re: Removing last PSN from cluster

dgaikwad — Tue, 16 Jul 2019 08:39:50 GMT

Thank you guys! I think this has resolved my query...