topic Re: switch to the secondary PAN node in Network Access Control

switch to the secondary PAN node

nastiakhon — Wed, 21 Jan 2026 14:33:12 GMT

Hello.
Is there any way to automatically switch to the secondary PAN node if the primary PAN node crashes? This usually has to be done manually.
Thanks!

Re: switch to the secondary PAN node

balaji.bandi — Wed, 21 Jan 2026 14:36:33 GMT

Depends on the deployment; if you configured PAN AutoFailover, then yes. if not then manually promote required.

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#toc-hId-118574828

OLD document still good for understanding :

https://www.ciscopress.com/articles/article.asp?p=2812072

Re: switch to the secondary PAN node

Rob Ingram — Wed, 21 Jan 2026 14:38:48 GMT

@nastiakhon you can automatically failover, but it does require there be at least one other non-admin node in the deployment (in addition to the Primary PAN and Secondary PAN). If you only have a small 2 node ISE deployment, then you cannot automatically failover.

Re: switch to the secondary PAN node

nastiakhon — Wed, 21 Jan 2026 14:49:40 GMT

We don't have a deployed ISE yet, we're only in the planning stage, so we'd like to immediately create a scheme that will automatically switch over if the main node becomes unavailable.

Re: switch to the secondary PAN node

Rob Ingram — Wed, 21 Jan 2026 14:59:39 GMT

@nastiakhon well you'd need to design your ISE cluster accordingly, with at least 3 ISE nodes for auto failover functionality, with the non-admin node acting as the health check node. The health check node can also function as a non-admin role, i.e., PSN.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/admin_guide/b_ise_admin_3_4/b_ISE_admin_deployment.html#ID59

Re: switch to the secondary PAN node

nastiakhon — Wed, 21 Jan 2026 15:21:23 GMT

So, if we have two data centers, we'll set up a separate PAN1 node and a separate PSN1 node in the first data center. We'll do the same in the second data center, setting up a separate PAN2 node and a separate PSN2 node. We'll select PAN1 as the primary node in data center 1, and specify that its health check node will be PSN1. We'll do the same for the second data center.
So, we'll have a total of 4 nodes.
Am I correct in understanding that with this setup, if PAN1 fails, PAN2 will automatically become the primary node, and the workflow won't be interrupted?

Re: switch to the secondary PAN node

Rob Ingram — Wed, 21 Jan 2026 15:38:25 GMT

@nastiakhon some features are unavailable when the Primary PAN is unavailable. So during the brief period during PAN switchover is occurring there maybe some features unavailable. Refer to Table 10 for a full list- https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_deployment.html#ID59

Health Check design:-

Re: switch to the secondary PAN node

nastiakhon — Wed, 21 Jan 2026 15:41:25 GMT

I understand everything. Thank you very much for your help!