https://community.cisco.com/t5/network-access-control/cisco-ise-ha-behavior-if-both-nodes-lost-connection-to-each/m-p/4477265#M570035 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/804751">@jj2048</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;<STRONG>1st</STRONG>:</P><P class="lia-align-justify"><STRONG>PSN</STRONG> will work even if <STRONG>PAN</STRONG> (<STRONG>Primary</STRONG> and/or&nbsp;<STRONG>Secondary</STRONG>) is down !!!</P><P class="lia-align-justify">Note: special attention for the following bug: <A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCvu62938" target="_blank" rel="noopener">CSCvu62938 Posture fails when primary PSN/PAN are unreachable</A>.</P><P class="lia-align-justify">&nbsp;<STRONG>2nd</STRONG>:</P><P class="lia-align-justify">All <STRONG>PSNs</STRONG> will send their logging data to the <STRONG>MnT Node</STRONG> as <STRONG>Syslog Messages</STRONG> (<STRONG>UDP port 20514</STRONG>).</P><P class="lia-align-justify">When there are two <STRONG>MnT Nodes</STRONG>, all <STRONG>ISE Nodes</STRONG> send their <U>audit data</U> to both <STRONG>MnT Nodes</STRONG> at the same time.<BR />Upon an <STRONG>MnT</STRONG> <U>failure</U>, all <STRONG>Nodes</STRONG> continue to send logs to the <U>remaining</U> <STRONG>MnT Node</STRONG>. Therefore, <U>no logs are lost</U>. The <STRONG>PAN</STRONG> retrieves <U>ALL log and report data from the remaining</U> <STRONG>MnT Node</STRONG>, so there is no administrative function loss, either. However, the <U>log database is not synchronized</U> between the <STRONG>Primary</STRONG> and <STRONG>Secondary MnT Nodes</STRONG>. Therefore, when the <STRONG>MnT Node</STRONG> returns to service, a <U>backup and restore</U> of the <STRONG>MnT Node</STRONG> is <U>required</U> to keep the two <STRONG>MnT Node</STRONG> in complete sync.</P><P class="lia-align-justify">&nbsp;<STRONG>3rd</STRONG>:</P><P class="lia-align-justify"><STRONG>Automatic Failover</STRONG> (to <U>promote</U> the <STRONG>Secondary PAN</STRONG> to <STRONG>Primary PAN</STRONG>) requires a <STRONG>Non-Administration Secondary Node</STRONG>, called a <STRONG>Health Check Node</STRONG>. This <STRONG>Node</STRONG> checks the health of <STRONG>Primary PAN</STRONG>. If the health detects that the <STRONG>Primary PAN</STRONG> is <U>down or unreachable</U>, the <STRONG>Health Check Node</STRONG> initiates the <U>promotion</U> of the <STRONG>Secondary PAN</STRONG> to take over the <U>primary role</U>. To deploy the <STRONG>Automatic Failover</STRONG> feature, you <U><STRONG>MUST</STRONG></U> have <U>at least three</U> <STRONG>Nodes</STRONG>.</P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Wed, 29 Sep 2021 22:39:38 GMT Marcelo Morais 2021-09-29T22:39:38Z https://community.cisco.com/t5/network-access-control/cisco-ise-ha-behavior-if-both-nodes-lost-connection-to-each/m-p/4477247#M570033 <P><STRONG>Full Question:</STRONG></P><P>What is the behavior of Cisco ISE in HA when both nodes lost connectivity with each other but both nodes are still up?</P><P><BR /><STRONG>Scenario:</STRONG></P><P>Let's say that Cisco ISE standalone are both installed on two sites A and B. Suddenly the connection between A (ISE-A) and B (ISE-B) are cut off, but both Nodes are still up.</P><P><U><EM>1. What is the expected behavior when this occurs?</EM></U></P><P>-Will ISE services such as tacacs/radius both work with respect to each site?</P><P>-Will we be unable to monitor (radius/tacacs live logs) the authentications on Site B (ISE-B) only or both sites? (Refer to Assumption 1)</P><P>&nbsp;</P><P><STRONG>Assumptions</STRONG></P><P>1. ISE-A (Primary Admin, Secondary MnT, PSN Active)</P><P>2. ISE-B (Secondary Admin, Primary MnT, PSN Active)</P><P>3. Site A Network Devices are radius/tacacs pointed to ISE-A as primary and ISE-B as secondary</P><P>4. Site B Network Devices&nbsp;are radius/tacacs pointed to ISE-B as primary and ISE-A as secondary</P><P>5. Site A and B both have dedicated AD/DNS servers, and are still reachable on both ISE.</P><P>&nbsp;</P><P>I appreciate any feedback or additional comments.</P> Wed, 29 Sep 2021 21:39:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ha-behavior-if-both-nodes-lost-connection-to-each/m-p/4477247#M570033 jj2048 2021-09-29T21:39:59Z https://community.cisco.com/t5/network-access-control/cisco-ise-ha-behavior-if-both-nodes-lost-connection-to-each/m-p/4477265#M570035 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/804751">@jj2048</a>&nbsp;,</P><P class="lia-align-justify">&nbsp;<STRONG>1st</STRONG>:</P><P class="lia-align-justify"><STRONG>PSN</STRONG> will work even if <STRONG>PAN</STRONG> (<STRONG>Primary</STRONG> and/or&nbsp;<STRONG>Secondary</STRONG>) is down !!!</P><P class="lia-align-justify">Note: special attention for the following bug: <A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCvu62938" target="_blank" rel="noopener">CSCvu62938 Posture fails when primary PSN/PAN are unreachable</A>.</P><P class="lia-align-justify">&nbsp;<STRONG>2nd</STRONG>:</P><P class="lia-align-justify">All <STRONG>PSNs</STRONG> will send their logging data to the <STRONG>MnT Node</STRONG> as <STRONG>Syslog Messages</STRONG> (<STRONG>UDP port 20514</STRONG>).</P><P class="lia-align-justify">When there are two <STRONG>MnT Nodes</STRONG>, all <STRONG>ISE Nodes</STRONG> send their <U>audit data</U> to both <STRONG>MnT Nodes</STRONG> at the same time.<BR />Upon an <STRONG>MnT</STRONG> <U>failure</U>, all <STRONG>Nodes</STRONG> continue to send logs to the <U>remaining</U> <STRONG>MnT Node</STRONG>. Therefore, <U>no logs are lost</U>. The <STRONG>PAN</STRONG> retrieves <U>ALL log and report data from the remaining</U> <STRONG>MnT Node</STRONG>, so there is no administrative function loss, either. However, the <U>log database is not synchronized</U> between the <STRONG>Primary</STRONG> and <STRONG>Secondary MnT Nodes</STRONG>. Therefore, when the <STRONG>MnT Node</STRONG> returns to service, a <U>backup and restore</U> of the <STRONG>MnT Node</STRONG> is <U>required</U> to keep the two <STRONG>MnT Node</STRONG> in complete sync.</P><P class="lia-align-justify">&nbsp;<STRONG>3rd</STRONG>:</P><P class="lia-align-justify"><STRONG>Automatic Failover</STRONG> (to <U>promote</U> the <STRONG>Secondary PAN</STRONG> to <STRONG>Primary PAN</STRONG>) requires a <STRONG>Non-Administration Secondary Node</STRONG>, called a <STRONG>Health Check Node</STRONG>. This <STRONG>Node</STRONG> checks the health of <STRONG>Primary PAN</STRONG>. If the health detects that the <STRONG>Primary PAN</STRONG> is <U>down or unreachable</U>, the <STRONG>Health Check Node</STRONG> initiates the <U>promotion</U> of the <STRONG>Secondary PAN</STRONG> to take over the <U>primary role</U>. To deploy the <STRONG>Automatic Failover</STRONG> feature, you <U><STRONG>MUST</STRONG></U> have <U>at least three</U> <STRONG>Nodes</STRONG>.</P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">Hope this helps !!!</P> Wed, 29 Sep 2021 22:39:38 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ha-behavior-if-both-nodes-lost-connection-to-each/m-p/4477265#M570035 Marcelo Morais 2021-09-29T22:39:38Z https://community.cisco.com/t5/network-access-control/cisco-ise-ha-behavior-if-both-nodes-lost-connection-to-each/m-p/4477300#M570041 <P>Hi,&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/17232">@Marcelo Morais</a>&nbsp;</P><P>&nbsp;</P><P>This helps a lot! Very informative and made me understand it better.</P><P>&nbsp;</P><P>Thank you!</P> Thu, 30 Sep 2021 00:26:02 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ha-behavior-if-both-nodes-lost-connection-to-each/m-p/4477300#M570041 jj2048 2021-09-30T00:26:02Z