topic Re: ISE MNT Failover Testing in Network Access Control

ISE MNT Failover Testing

Scott Gillies — Mon, 11 Mar 2019 08:49:29 GMT

I have a new distributed ISE deployment PAN, MNT and 2 * PSNs that I have to failover test.

The PAN and MNT act as secondary MNT and PAN to each other.

When I failover the PAN the MNT is set to be manually promoted to PAN and therefore reboots (restarts its ISE services).

When I failover the MNT (stop the application via cli) the PAN has to be set as Primary MNT. I presume this does not cause a restart of ISE PAN services, does it?

What is good evidence that I can record to show that the PAN is also now the current Primary MNT?

Many thanks in advance

Scott

Re: ISE MNT Failover Testing

kthiruve — Wed, 12 Sep 2018 20:36:23 GMT

PAN and MNT are two different functional roles in a ISE deployment.

If you have two nodes, one as primary PAN and primary MNT, second one as secondary PAN and secondary MNT. The Primary PAN is active and Secondary PAN will be standby. ISE supports both automatic and manual failover of Administrative node. For automatic failover you need something called a health check node that checks if the Primary PAN is available or not. You can have a PSN as a health check node if you have PAN and MNT in the same node. Health check node should not be a PAN.

You can find more information about Admin node failover with the following documentation for ISE 2.4.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

You can try out the failover once you understand how it works and enable the right set of controls.

Then look at the ISE UI, Administration --> Deployment and check the roles of the individual nodes.

-Krishnan

Re: ISE MNT Failover Testing

Jason Kunst — Wed, 12 Sep 2018 20:34:45 GMT

I would also look at craig hyps performance and scale presentation from cisco live
https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944

Re: ISE MNT Failover Testing

Scott Gillies — Thu, 13 Sep 2018 13:25:26 GMT

Hi Krishnan

Thank you for your prompt reply.

Apologies I should have mentioned I am using ISE 2.2 not 2.4. I have a manual PAN failover configuration so the Health Check Node will not be applicable in my current deployment.

When the Secondary Admin node (in my case the MNT is the Secondary Admin) is promoted to Primary Admin (in my case I will do this manually - stop the PAN services then promote the MNT which will reboot the ISE services) it will be obvious/evident when logging onto the MNT that it is now the Primary Admin because the Web Gui should now have all the appropriate Admin configuration options which only the Primary PAN has.

What I am trying to understand is if I configure/promote the Secondary MNT (in my case the PAN is Secondary MNT) to be the Primary MNT what evidence do I look for (other than the configuration in the deployment) that the PAN is also performing the Primary MNT role? Is there anything obvious that would indicate this?

Also does setting the PAN as Primary MNT cause the PAN to reboot the ISE services?

Many thanks

Re: ISE MNT Failover Testing

kthiruve — Sat, 15 Sep 2018 01:07:29 GMT

It will be good to record this as you do a change.

When you stop the service in Primary PAN and MNT, check out what happens to secondary PAN and MNT.

Here is the link to ISE 2.2 MNT failover documentation.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.html#ID90

In your case, secondary MNT should get the logs still when Primary MNT goes down. You need to manually promote Secondary MNT/PAN to primary then.

Thanks

Krishnan