topic Re: ISE failover impact in Network Access Control

ISE failover impact

hussainmajeed87 — Tue, 01 Dec 2020 20:36:31 GMT

Hello,

We have a power outage last week and the primary ISE went down, but the 2ndary didn't kick in, so we had to do it manually to promote to primary, the process took 1 hour and 30 minutes for initiating the services to be back in running mode.

we face some RAM issues on the 2ndary server and it was slow to back online.

So, after the outage, the primary comes back online but it is showing as a role secondary.

In case we need to push it back as primary, my questions are:

How long is going to take for the Failover?
What is the impact?
As of the second server is running, is the authentication/clients/tacac.s will get disconnected or fail?

current services are:

Node-1 - Primary - (Role-Secondary )

Node-2 - Secondary - (Role- Primary )

Re: ISE failover impact

Marius Gunnerud — Wed, 02 Dec 2020 08:30:48 GMT

What version of ISE are you running?

If you go to Administration > System > Deployment and then click on PAN Failover, is the Enable Auto PAN Failover button selected? If not select it and fill out the required fields and click save. Your PAN and MNT nodes should now failover automatically.

Re: ISE failover impact

Marvin Rhoads — Thu, 03 Dec 2020 01:44:17 GMT

@Marius Gunnerud don't we need a third node to monitor PAN health in order to perform automatic failover? The OP indicated he has only a 2-node deployment.

Even with automatic failover using a third node there is no concept of preemption so failback has to be done manually.

If the deployment is 2 nodes, the PSN role should be running on both and a failover or failback should only take place on one unit at a time so the other PSN persona should always be available to service new authentications.

Also see this good article:

https://bluenetsec.com/promote-ise-secondary-pan-to-become-the-primary/

Re: ISE failover impact

Marius Gunnerud — Wed, 02 Dec 2020 13:45:06 GMT

That is correct @Marvin Rhoads a third node needs to be present to monitor heartbeats. Overlooked the two node setup.

Re: ISE failover impact

hussainmajeed87 — Wed, 02 Dec 2020 16:32:23 GMT

We are running on 2.6.0 156

I have checked the PAN and the PAN auto-failover is not enabled, and it could be the reason why didn't fail automatically.

In case we need to push it back as primary, my questions are:

How long is going to take for the Failover?
What is the impact?
As of the second server is running, is the authentication/clients/tacac.s will get disconnected or fail?

Re: ISE failover impact

Marvin Rhoads — Thu, 03 Dec 2020 01:43:43 GMT

~~Please see my earlier reply for details on impact.~~

~~As long as one server is active (and assuming your network access devices are correctly configured to use both PSNs for AAA services) end users should not be affected during failover.~~

Update: I believe the 2-node scenario will result in both PSNs being unavailable for a period. In that case, new authentications will not be possible until one of the PSNs comes back up.

The process takes about 15-20 minutes. If I were planning a maintenance window, I would plan for an hour or two and hope to finish early. 🙂

Re: ISE failover impact

hussainmajeed87 — Wed, 02 Dec 2020 20:10:45 GMT

Thank you, Marvin, we will try and share the result.

Re: ISE failover impact

hussainmajeed87 — Mon, 07 Dec 2020 18:27:39 GMT

Thank you Marvin, it worked but it took more time than what you have mentioned for syncing and initiating.

Between 00:45 m to 1 Hour. for moving back to the primary.