topic Re: PAN Auto-Failover for 2 ISE in Network Access Control

PAN Auto-Failover for 2 ISE

junk1 — Wed, 13 Dec 2017 10:25:02 GMT

I am working on the ISE part of my DNA SDA customer. There are 2 ISE boxes and each ISE box running PAN, MnT and PSN personas. I would like to know how to enable Auto Failover between PAN. The below URL says, for enabling PAN Auto Failover, I need 3 nodes - 2 of which are admin nodes and a 3rd secondary node.

Please suggest how to achieve Auto failover between PAN in a standalone deployment.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID59

If I promote Secondary PAN to Primary will it restart? Is that an expected behaviour? If it restarts, and as PSN is also running in same box there will be a downtime in the network. Please advise.

Thanks and Regards

V Vinodh.

Re: PAN Auto-Failover for 2 ISE

Jason Kunst — Wed, 13 Dec 2017 12:17:54 GMT

Auto failover is not supported with standalone

You will need an external psn to be the health monitor

To be supported for this in production you will need a non standalone setup where the psns are outside of the pan/mnt for a small medium setup

Please see the ISE deployment sizing in the admin guide

Re: PAN Auto-Failover for 2 ISE

Jason Kunst — Wed, 13 Dec 2017 12:23:35 GMT

yes when you Promote it will restart and that psn Will be down as it’s running on same system

Re: PAN Auto-Failover for 2 ISE

junk1 — Wed, 13 Dec 2017 12:50:57 GMT

Thanks for the response.

Could you please confirm if Auto Failover also restarts the ISE services?

Regards

V Vinodh.

Re: PAN Auto-Failover for 2 ISE

Jason Kunst — Wed, 13 Dec 2017 13:11:55 GMT

I am not sure please read the guide here and I will check

To be safe assume yes they are

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.html#reference_58F40B0E4D354B4DBB9940E4DB8DC8ED

Re: PAN Auto-Failover for 2 ISE

hslai — Wed, 13 Dec 2017 14:21:00 GMT

Yes. It's to automate the action in promoting the secondary PAN to the primary. It restarts the ISE services on the secondary PAN when we do it manually so the auto failover will restart ISE services as well.

Re: PAN Auto-Failover for 2 ISE

Arne Bier — Wed, 13 Dec 2017 23:08:54 GMT

We don't hear much about PAN failover on these forums but I can happily report that I have been using it since day one and it works as designed.

I had the unfortunate experience the other day where the primary PAN popped its clogs for no reason, and the Secondary took over automatically. It's not quick. And the failure detection should NOT be quick because failover is not to be taken lightly. Processes take ages to wind down, and then start up again on Secondary. I have left the default timers in place which means that failover is TRIGGERED after 10 minutes. At that point the Secondary stops processes and restarts. In my case that's another 10min down. All in all, from time of PAN Primary failure, until happy eyeballs, you're looking at 20min no Admin. Here are some other caveats to be aware of

1) While Admin(s) are down, Sponsor Portal works on PSN but nobody can log in - Guest accounts managed by PAN!

2) PAN Auto Failover gets in the way of patches and upgrades. Make sure you disable PAN failover prior to patching

3) URT for ISE 2.3 couldn't cope with a system where PAN Auto failover was enabled. Fixed in later release of URT. Just beware that unintentional side effects (weird stuff) can happen with PAN Auto failover.

Re: PAN Auto-Failover for 2 ISE

junk1 — Thu, 14 Dec 2017 05:29:58 GMT

Thanks everyone, for the responses. Much appreciated.

Re: PAN Auto-Failover for 2 ISE

junk1 — Thu, 14 Dec 2017 13:00:03 GMT

Hi Arne

I was testing this and observed there is a downtime even for the dot1x radius authentication traffic, while the Secondary PAN is promoting into Primary role. Is that an expected behaviour? As per the below link it is not supposed to impact the radius authentication traffic. Please suggest.

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Set Up Cisco ISE in a Distributed Environment [Cisco …

Thanks

V Vinodh.

Re: PAN Auto-Failover for 2 ISE

Arne Bier — Fri, 15 Dec 2017 01:02:53 GMT

Vinodh

I have not tested this scenario. I have a full distributed deployment (2 x PAN, 2 x MnT and 4 x PSN). I would suspect that in such a deployment the Radius daemon on my PSN's would be unaffected by the PAN outage. If this is NOT the case then I would be quite alarmed. WHat does your deployment look like? Do use allinone nodes? If so,and if not using some load balancer intelligence, then I would expect the NAS to still send to the Primary AAA (PAN/PSN) and thus impacting traffic.