topic Re: ISE single PSN node down. in Network Access Control

ISE single PSN node down.

rashish135@yahoo.co.in — Wed, 31 Mar 2021 06:08:48 GMT

We are planning to deploy Cisco ISE with 3 node deployment (Primary PAN, Secondary PAN and monitoring PSN).

Please help in understanding, what will be the impact, if single monitoring PSN goes down?

Regards

Ashish Shah

Re: ISE single PSN node down.

Mark Elsen — Wed, 31 Mar 2021 07:10:15 GMT

- Monitoring PSN ? PSN normally denotes Policy Service Node and is critical , for more info :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#typesofpersonas

Re: ISE single PSN node down.

rashish135@yahoo.co.in — Wed, 31 Mar 2021 07:22:36 GMT

I mean what will be the impact of health check PSN goes down.

3 node deployment

Primary PAN, Secondary PAN and health check PSN.

Re: ISE single PSN node down.

Mark Elsen — Wed, 31 Mar 2021 07:32:25 GMT

- In general that kind of deployment type is discouraged, it is always better to have 2 PSN , which can then be configured

as authenticators on the network devices resulting in fallback and or redundancy when one PSN goes down.

Re: ISE single PSN node down.

Marcelo Morais — Wed, 31 Mar 2021 11:52:12 GMT

Hi,

remember that ...

PAN is the single pane of glass for ISE Admin (interface to configure and view Policies), it is the replication hub for all database config changes (responsible for policy sync across Secondary PAN and ALL PSNs)

PSN is the RADIUS/TACACS+ Server.

in other words, if your only PSN goes down, then you loose your RADIUS/TACACS+ Server, you have the option to use a 2x Nodes Deployment:

1st Node: Primary PAN, Primary MnT and PSN 01
2nd Node: Secondary PAN, Secondary MnT and PSN 02

Note: the Health Check PSN is used to automatically Promote the Secondary PAN to primary if the Primary PAN goes down !!!

Hope this helps !!!

Re: ISE single PSN node down.

Damien Miller — Wed, 31 Mar 2021 14:29:29 GMT

As Marce1000 mentioned, a three node deployment such as this is not an official tested/certified deployment methodology, but it can still work. I tend to see it deployed when companies understand the risk and still want automatic PAN failover to function.

That said, if the third node, PSN in your case, goes down, the primary PAN and secondary PAN will not change. Losing the quorum decider aka health check node. If you were to also lose the primary PAN at the same time as the only health check node you have deployed, then it also won't failover. You wouldn't want this automatic promotion scenario anyways since reloading the only remaining node would result in a complete service outage. So if the primary PAN goes down, and the secondary and health check PSN stay up, then by default the promotion will begin after the p-pan has been down for 10 minutes. The secondary PAN will reload and come up as the primary in 10-15 minutes, the whole process takes 10 min down time + 10-15 for reload = 20-25 minutes.

If you are going to use a three node deployment with PAN failover enabled, then ensure all three nodes are providing the PSN services, and every network device also has the three IP's configured for radius/tacacs. This prevents PAN reloads from causing a complete authentication outage.
1x Pri-PAN/-Pri-MNT/PSN
1x Sec-PAN/Sec-MNT/PSN
1x PSN

You can also read this admin guide section for what is available when the primary admin node is down, they have is broken in to a nice table.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html#ID57

Re: ISE single PSN node down.

rashish135@yahoo.co.in — Thu, 01 Apr 2021 04:35:57 GMT

Thanks for your valuable inputs. As you mentioned, we will be enabling PSN and MnT persona on Primary and secondary PAN.