topic Re: Health Check Node within Base licenses? Roadmap question in Network Access Control

Health Check Node within Base licenses? Roadmap question

Flavio Costa — Mon, 31 Jul 2017 14:53:41 GMT

Hi ISE experts,

Health Check Node functionality (providing automatic promotion of Secondary ISE to Primary in failure circumstance) will at some stage be integrated into the base ISE functionality?

In a 2 node environment where all the processes are on these 2 in A/S configuration, it’s a relatively large cost to go for HCN… and if you want resilient HCN nodes, then its double the cost of the manual approach.

Thanks,

Flavio Costa

Re: Health Check Node within Base licenses? Roadmap question

Arne Bier — Mon, 31 Jul 2017 23:56:55 GMT

I would love to see an engineering document from the BU that explains (with some diagrams) how this concept is designed to work, taking into account the various failure components (PAN node failure, inter-PAN link failure, etc.)

In my view, health checking with a two node setup (both of whom are candidates) can get tricky, because when there is a split brain scenario, then either node can promote itself to be the primary (imagine that Node A doesn't hear from Node B - then it thinks, I am the master - and vice versa). This would arise if both nodes were actually perfectly healthy, but the network link between them gets cut - then they run blind.

A third node provides a concept where we can observe the situation from an outsider's view to determine who is alive or not. This is why we would nominate a MnT node to be a health checker.

One might argue that failover can and does work with two nodes (e.g. HSRP/VRRP etc) and if one were to place priority values then one doesn't need an external health checker. Would be good to hear from the BU 🙂

Re: Health Check Node within Base licenses? Roadmap question

Flavio Costa — Tue, 01 Aug 2017 12:35:08 GMT

Arne, thanks for your input, +1 for a doc that explains this concept. I couldn't find anything in our data base, like Cisco Live presentations for instance.

Re: Health Check Node within Base licenses? Roadmap question

Jason Kunst — Tue, 01 Aug 2017 13:38:09 GMT

A 2 node deployment with automatic PAN failover is not supported

You would need at least 3 nodes

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID59

Craig hyps cisco live for scalability and high availability

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89293&tclass=popup

Slide 225

Re: Health Check Node within Base licenses? Roadmap question

Jason Kunst — Tue, 01 Aug 2017 14:09:54 GMT

Slide 225 to be exact! Advanced - Designing ISE for Scale & High Availability (2016 Berlin)

Re: Health Check Node within Base licenses? Roadmap question

Jason Kunst — Tue, 01 Aug 2017 14:17:21 GMT

We don't discuss roadmap question in the public forum. I understand the original ask is to include automatic failover in a base deployment. Please don't confuse this with base licensing. The automatic failover is included in the base licensing. The confusion is a small (base) deployment you can only have 2 nodes max, its a standalone with high availability. No you cannot deploy automatic failover and understand its a cost to have another node and since its external PSN it requires more resources on the PAN/MNT per the deployment guidelines

If you would like to see this functionality in this type of deployment please reach out through your sales channel to our ISE product management team

Cisco Identity Services Engine Installation Guide, Release 2.2 - Network Deployments in Cisco ISE [Cisco Identity Servi…

Re: Health Check Node within Base licenses? Roadmap question

Flavio Costa — Tue, 01 Aug 2017 16:10:50 GMT

Jason, thank you very much for your inputs! Very helpful!!