topic Re: ISE Auto Failover in Network Access Control

ISE Auto Failover

Jason Maynard — Tue, 08 Jan 2019 13:16:10 GMT

I want to confirm this is still true today with 2.4

https://community.cisco.com/t5/identity-services-engine-ise/pan-auto-failover-for-2-ise/td-p/3512753

I require automatic failover for guest/sponsorship services and currently running in standalone mode.

It appears that the minimum deployment mode in this case is medium. Example:

PAN/MNT Primary (DC1)
PAN/MNT Secondary (DC2)
PSN1 (DC1)
PSN2 (DC2)

PSNs also acting as health check boxes for their respective DC.

Can I get confirmation?

Also, based on the timers are we looking at best time for guest services to be available during auto failover is 20 minutes?

Thanks

Re: ISE Auto Failover

Jason Kunst — Tue, 08 Jan 2019 14:37:13 GMT

I assume you’re talking about PAN auto failover correct? Correct minimum deployment requires PAN/MNT on their own boxes and PSN outside of this deployment to monitor. See sizing guide.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-000000b1

see here for what’s available when the PAN is down
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

The default times should be fine.

Re: ISE Auto Failover

Jason Maynard — Tue, 08 Jan 2019 19:46:03 GMT

Just to be clear -

Multiple DCs I would required a medium deployment

PAN/MNT Primary (DC1)
PAN/MNT Secondary (DC2)
PSN1 (DC1)
PSN2 (DC2)

Each PSN acting as a health check node for their respective DC PAN/MNT as well as PSN

Single DC is this supported

PAN/MNT Primary (DC1)
PAN/MNT Secondary (DC1)
PSN1 (DC1)

Single PSN acting as a health check node for their respective DC PAN/MNT as well as PSN.

Also, with the timers - can I tweak them to reduce the overall time to failover? Recommended?

Thanks,
Jason

Re: ISE Auto Failover

Arne Bier — Tue, 08 Jan 2019 23:24:08 GMT

Regarding the timers, I don't know if there is enough field experience to answer this reliably, but let's be clear about what this Automatic PAN failover is for. If the PAN fails, then Guests will still get to the guest portal and MAB etc will still work. The urgency is around the Sponsor Portal because that will be unavailable while the PAN is not running 100%. That's the only issue as far as I know. How quickly do you need the Sponsor portal back up? 20min sounds reasonable. Why not make it more aggressive? Because if the PAN is restarted intentionally (or there is a transient LAN failure), then you don't want to Auto failover to kick in and start causing havoc. Leave yourself some room. Remember that this mechanism causes the Standby to restart - that is not fast. So you want to avoid that if it's not required.

Re: ISE Auto Failover

Jason Kunst — Tue, 08 Jan 2019 23:34:13 GMT

Yes agree with Arne. Leave alone . Also have 2 PSNs for redundancy

Re: ISE Auto Failover

Jason Maynard — Tue, 08 Jan 2019 23:36:22 GMT

Thanks on the timers. Just need confirmation on the examples single vs. Dual DCs

Re: ISE Auto Failover

Jason Maynard — Tue, 08 Jan 2019 23:41:21 GMT

Hey Jason

Would 3 be a supported solution 2x PAN/MNt and 1xPSN? Just want to have all the options available - I realize that 2x PSN provides redundancy for policies and health checks but need to be clear what min is supported

Re: ISE Auto Failover

Jason Kunst — Tue, 08 Jan 2019 23:42:13 GMT

They’re fine but make sure to have minimum 2 psns separate from the PAN/MNT in either scenario

Re: ISE Auto Failover

Jason Kunst — Tue, 08 Jan 2019 23:58:13 GMT

That all depends on your scale but yes 1 psn is minimal but not recommended

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-00000018