Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1174
Views
0
Helpful
5
Replies

ISE Failover test

CCC3
Level 1
Level 1

‎09-30-2023 02:00 AM

hello.

I'm trying to do an ISE failover.

As far as I know, unlike wlc, ise does not automatically change the secondary device to primary even when the primary device is turned off.

So how should we check the results of a successful failover?

I think it would be a good idea to turn off the primary device and see how authentication works with the secondary device through live log.

However, since the secondary device does not automatically transfer to the primary device, you cannot see the live log.
Please give me advice on how to check the results.

Labels:
0 Helpful
5 Replies 5

Kentemad
Level 1
Level 1

‎09-30-2023 02:08 AM

Configuring and testing a failover scenario in Cisco Identity Services Engine (ISE) is an essential part of ensuring high availability for your network's authentication and authorization processes. While ISE doesn't automatically promote the secondary device to the primary in the event of a failure (like some other Cisco devices), you can perform manual failover testing to ensure that your secondary ISE node can take over smoothly. Here's a step-by-step guide:

1. Preparing for Failover Testing:

Ensure that your secondary ISE node is properly configured and synchronized with the primary node, including certificates, policies, and endpoints.
Confirm that both the primary and secondary nodes are reachable and operational before starting the test.
2. Live Log Monitoring:

Use the live log feature to monitor authentication and authorization events in real-time during the failover test.
Access the live log from the ISE web interface by navigating to "Operations" > "Live Log."
3. Initiating Failover Testing:

Simulate a failure on the primary ISE node. This can be done by stopping the ISE services or disconnecting the network connection to the primary node.
4. Observe Failover Behavior:

With the primary node intentionally unavailable, the secondary node should automatically take over the authentication and authorization tasks.
During this time, monitor the live log for any authentication requests and check if they are successfully processed by the secondary ISE node.
Pay attention to any error messages or issues that may arise during the failover process.
5. Testing Network Access:

Perform network access tests during the failover to ensure that users can still authenticate and access network resources.
If your network has redundancy at other layers (e.g., redundant switches), ensure that network connectivity is maintained during the failover.
6. Logs and Alerts:

Review the system logs and alerts generated by ISE to identify any issues or anomalies that may have occurred during the failover.
7. Failback Testing (Optional):

If desired, you can also test the failback process by restoring the primary node and ensuring that it takes over as the primary device seamlessly.
8. Document the Results:

Document the results of your failover testing, including any issues encountered, error messages, and the time it took for the secondary node to take over.
9. Remediation and Improvements:

If you encounter any issues or delays during failover testing, take steps to remediate them and improve your failover process. This may involve reviewing your ISE configuration, network design, and redundancy mechanisms.
It's important to perform failover testing during a maintenance window or during a period of lower network activity to minimize disruption to users. Additionally, make sure that all relevant stakeholders are aware of the testing and its potential impact on network access.

By following these steps and carefully monitoring the live log during failover testing, you can ensure that your secondary ISE node can effectively take over in the event of a primary node failure, maintaining network security and access.

smart square wellstar
0 Helpful

CCC3
Level 1
Level 1
In response to Kentemad

‎10-03-2023 12:29 AM

I understand that the secondary does not automatically fail over to the primary even if the primary node becomes unavailable. So, since the secondary node cannot see the live log in the GUI, how can the secondary node confirm successful authentication?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CCC3

‎10-03-2023 07:13 AM

Confirm successful authentications in real time from an authenticating endpoint or from one of your network access devices (WLC, switch, firewall etc.). Once you restore the Primary PAN / Secondary MnT the RADIUS live log (and Operations Reports) will show events from the Primary MnT node.

0 Helpful

M02@rt37
VIP
VIP

‎09-30-2023 02:16 AM - edited ‎09-30-2023 02:17 AM

Hello @CCC3,

Configure your ISE nodes to send logs to an external syslog server.

Both the primary and secondary ISE nodes should be configured to send logs to the same external syslog server.

This way, even if the live logs within the ISE interface are not directly accessible during the failover, you can still observe and analyze the authentication events and failover-related logs on the external syslog server. The syslog server acts as a central repository for logs, allowing you to monitor and review events during the failover process.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

CCC3
Level 1
Level 1
In response to M02@rt37

‎10-03-2023 12:26 AM

It is not possible to set up an external syslog server because the customer plans to install it next year.

0 Helpful
Customers Also Viewed These Support Documents