https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479727#M537267 <HTML><HEAD></HEAD><BODY><P>Hi folks,</P><P></P><P>my customer is planning to deploy ISE in a small deployment: One node as PAN/MnT/PSN and a second node also with Admin(secondary)/MnT/PSN.</P><P></P><P>Now he would like to deploy a 3<SUP>rd</SUP> node to act as a health-check node to support automatic failover for Admin node.</P><P></P><P>According to the scaling guidelines, it is not supported to register a 3<SUP>rd</SUP> node to a 2-node deployment where the two nodes have all three&nbsp; personas. Is there an exeption for the case of the health check node? So would the following deployment be allowed/supported:</P><P></P><P>ISE -instance 1: PAN/MnT/PSN</P><P>ISE-instance 2: (s)AN/MnT/PSN</P><P>ISE-instance 3: PSN, health-check (PSN will not be used as such, no RADIUS-requests will be sent to that node)</P><P></P><P>Thanks in advance.</P><P> Roland</P></BODY></HTML> Fri, 21 Oct 2016 07:28:36 GMT rmueller@cisco.com 2016-10-21T07:28:36Z https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479727#M537267 <HTML><HEAD></HEAD><BODY><P>Hi folks,</P><P></P><P>my customer is planning to deploy ISE in a small deployment: One node as PAN/MnT/PSN and a second node also with Admin(secondary)/MnT/PSN.</P><P></P><P>Now he would like to deploy a 3<SUP>rd</SUP> node to act as a health-check node to support automatic failover for Admin node.</P><P></P><P>According to the scaling guidelines, it is not supported to register a 3<SUP>rd</SUP> node to a 2-node deployment where the two nodes have all three&nbsp; personas. Is there an exeption for the case of the health check node? So would the following deployment be allowed/supported:</P><P></P><P>ISE -instance 1: PAN/MnT/PSN</P><P>ISE-instance 2: (s)AN/MnT/PSN</P><P>ISE-instance 3: PSN, health-check (PSN will not be used as such, no RADIUS-requests will be sent to that node)</P><P></P><P>Thanks in advance.</P><P> Roland</P></BODY></HTML> Fri, 21 Oct 2016 07:28:36 GMT https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479727#M537267 rmueller@cisco.com 2016-10-21T07:28:36Z https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479728#M537268 <HTML><HEAD></HEAD><BODY><P>No this design hasn't been tested, and thus not supported.</P></BODY></HTML> Fri, 21 Oct 2016 15:32:37 GMT https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479728#M537268 howon 2016-10-21T15:32:37Z https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479729#M537269 <HTML><HEAD></HEAD><BODY><P>Hosuk is correct.&nbsp; The basic requirement that you have an "objective observer" to make the failover decision.&nbsp; The Primary PAN cannot monitor itself and concern over Secondary making that decision is that if break link between Primary and Secondary, then increase potential for a split brain (Active/Active) deployment where connectivity between NADs is still possible to individual nodes.&nbsp; Architecture currently does not support an "auto-reconciliation" of config changes or data that may have been learned during Active/Active, so decision made to make sure health check node is separate.</P><P></P><P>Craig</P></BODY></HTML> Mon, 24 Oct 2016 15:57:03 GMT https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479729#M537269 Craig Hyps 2016-10-24T15:57:03Z https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479730#M537270 <HTML><HEAD></HEAD><BODY><P>Hi Craig,</P><P>thanks for the explanation.</P><P>I am fine to have a seperate node as health-check node, but if I follow strictly the deployment guide I have to move from a "small" deployment (with only two "productive" nodes) to a medium deployment, otherwise I am not allowed to register a seperate health-check node. This means, although two nodes would be fine scalability wise, the customer would have to deploy 4 ise instances + health node just to get automatic PAN failover.</P><P></P><P>Or do I miss something?</P><P>Roland</P></BODY></HTML> Mon, 24 Oct 2016 17:12:46 GMT https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479730#M537270 rmueller@cisco.com 2016-10-24T17:12:46Z https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479731#M537271 <HTML><HEAD></HEAD><BODY><P>Correct.&nbsp; Unfortunately we do not QA test a scenario where we have a separate check node with no other function.&nbsp; Although no testing to support, I would expect minimal impact if no User Services (RADIUS / Profiling) or optionally pxGrid services, however, there is still an impact on the PPAN node to maintain health and replication of this additional node. It may still be minimal, especially if node has reasonable connectivity (minimal WAN latency/bw for replication), the actual impact is not measured.&nbsp; Consequently, you could configure it and it may present minimal risk, but any issues related to deployment stability or scaling will likely bring this configuration into question and could require de-registration for continued TAC support.&nbsp;&nbsp; </P><P></P><P>Hope that clarifies.</P><P>Craig</P></BODY></HTML> Mon, 24 Oct 2016 17:41:48 GMT https://community.cisco.com/t5/network-access-control/automatic-admin-node-failover-for-more-small-deployments/m-p/3479731#M537271 Craig Hyps 2016-10-24T17:41:48Z