https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3761541#M487769 So when you add the secondary IP address to the AAA server group within the ASA there is no way to test the secondary node because its not responding to requests until its promoted to primary? Tue, 11 Dec 2018 20:04:57 GMT Steven Williams 2018-12-11T20:04:57Z https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3753022#M487761 <P>When I have two ISE nodes and they are set to primary and secondary on Admin, Monitoring, and Policy how does failover work with this? do I need to create a PAN failover group and add each one to it and enable failover?&nbsp;</P> <P>&nbsp;</P> <P>When I start adding ISE servers to radius servers do I have to list both IP addresses of the ISE Servers?</P> Mon, 26 Nov 2018 19:57:09 GMT https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3753022#M487761 Steven Williams 2018-11-26T19:57:09Z https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3753034#M487764 <P>It is different for each persona:</P> <P>&nbsp;</P> <OL> <LI>Admin- in a two node deployment this is active/passive.&nbsp; If the primary admin fails you would need to go to the GUI of the secondary to promote it to be the primary.&nbsp; At that point the services will restart and authentication would be disrupted.&nbsp; If you have more than two nodes you can configure automatic failover.</LI> <LI>Monitoring- always active/active.&nbsp; All ISE nodes log to both monitoring nodes simultaneously. If the primary monitoring node goes down the Admin persona will automatically start pulling data from the other monitoring node.&nbsp;</LI> <LI>PSN- always active and you decide how you use them by how you point your network devices at them.&nbsp; You might say wired will be PSN #1 first then PSN #2 and wireless PSN #2 first then PSN #1.</LI> </OL> Mon, 26 Nov 2018 20:08:01 GMT https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3753034#M487764 paul 2018-11-26T20:08:01Z https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3753047#M487766 <P>Good answer,</P> <P>&nbsp;</P> <P>I'll just add that for Admin failover the primary doesn't automatically become the active node once it's up. You'll need to promote the primary node yourself.&nbsp;</P> <P>&nbsp;</P> <P>For MnT persona the primary preempts back to working with the active PAN, so no need to promote anything.</P> Mon, 26 Nov 2018 20:28:19 GMT https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3753047#M487766 Nadav 2018-11-26T20:28:19Z https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3761541#M487769 So when you add the secondary IP address to the AAA server group within the ASA there is no way to test the secondary node because its not responding to requests until its promoted to primary? Tue, 11 Dec 2018 20:04:57 GMT https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3761541#M487769 Steven Williams 2018-12-11T20:04:57Z https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3761698#M487770 <P>Requests are handled by PSN nodes, not PAN or MnT. PSN nodes are always active, so you should be getting a reply from any of the PSN nodes assuming the right persona, protocols and policy&nbsp;are in place.</P> Wed, 12 Dec 2018 05:53:20 GMT https://community.cisco.com/t5/network-access-control/ise-failover-questions/m-p/3761698#M487770 Nadav 2018-12-12T05:53:20Z