topic Re: Cisco ISE Manual Failover in Network Access Control

Cisco ISE Manual Failover

Netmart — Sun, 16 Jun 2024 03:58:50 GMT

Hello,

I am planning a manual failover from Active to Secondary.

And in order for the Primary to become offline, I was wondering whether it is sufficient to shut down its network interface.

Next, the role of the Secondary has to be manually set to primary by assessing the GUI of Secondary visiting Administration > System > Deployment.

Before I am doing this, how am I able to make sure that the secondary is in sync and to be able to operate as primary.

ISE version: 3.0_061722

Please advise.

Thanks,

Re: Cisco ISE Manual Failover

Ambuj M — Sun, 16 Jun 2024 04:56:39 GMT

you don't necessarily have to shutdown primary to promote secondary, you can do it anytime.

to check Sync hover over on the information icon next to node status on deployment page , it will tell you if its in sync.

If you do need to shutdown primary a graceful way would be to SSH into primary and shutdown application with "application stop ise" command then you can shut down uplink to ISE.

Re: Cisco ISE Manual Failover

Netmart — Mon, 17 Jun 2024 16:09:47 GMT

Thank you.

When hovering over the information icon as it has been suggested, the primary shows a Message Count of 25644310, while the secondary shows "Sync Status: 0 messages to be synced".

Is it fair to say that both nodes are in sync, but currently there is no need for sinking any messages?

And I am also wondering what type of messages will be synced between the primary and secondary?

Please advise.

Thanks.

Re: Cisco ISE Manual Failover

ahollifield — Mon, 17 Jun 2024 18:05:53 GMT

All messages will be synced, these are just counts for replication. How many ISE nodes do you have? Two?

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-0.html

Re: Cisco ISE Manual Failover

Ambuj M — Tue, 18 Jun 2024 01:25:28 GMT

"0 messages to be synced" means both nodes are in sync.

below are few examples of messages and data that are typically synchronized between the primary and secondary nodes:

Configuration Data

Policy Configurations: All policy settings, including authentication, authorization, and profiling policies.
Identity Stores: User and endpoint identity information from internal and external identity stores.
Posture and Client Provisioning: Configuration related to posture assessment and client provisioning.
Device Administration: TACACS+ configurations and policies.

Operational Data

Session Data: Active session information, including authenticated sessions and associated attributes.
Endpoint Data: Details about endpoints, such as profiling information and endpoint attributes.
Log Data: System logs, including audit logs and RADIUS/TACACS+ logs, which are important for troubleshooting and compliance.

Licensing Information

Licenses: Information about installed licenses and their status.

System Settings

System Settings: General system settings, including network configurations, admin access, and system time settings.

Profiler Data

Profiler Data: Information gathered by the profiling service to identify endpoints.

Monitoring and Alarms

Monitoring Data: Alarms, alerts, and performance monitoring data.
Reports: Generated reports and report configurations.

Re: Cisco ISE Manual Failover

Netmart — Sun, 23 Jun 2024 04:59:45 GMT

Thank you Ammahend.