Solved: Re: Cisco ISE2.1. How exactly failover works between two branches of ISE distributed deployment?

sagar.pradeep · ‎01-09-2017

Hi,

How exactly failover works between two branches of ISE distributed ISE deployment ?

I have a requirement in ISE distributed deployment between two branches of an organization:

What i want to achieve is: failover between Branch Office1 in India and Branch Office2 in USA

Branch1 users connecting through local switch to IND-ISE, and Branch2 users connecting through local switch to US-ISE.

I have imported certificate from Branch2 and installed in Branch1. Now i have made Branch1 as primary and Branch2 as secondary node under the deployment option.

My requirement is, if the US-ISE node fails in Branch2, all the users should fall back to IND-ISE node in Branch1 so that the users in Branch2 can still have authenticated access with the respective authorization policies be applied based on the roles defined.

Few document says ISE has three nodes in general Admin node, Monitoring node and PSN node. However, while installing ISE we dont install it separately and we donot assign individual IP address to these 3 nodes individually. Can someone give more clarity on this ?

Timothy Abbott · ‎01-09-2017

Hi Pradeep,

You can find more information about ISE personas (node types) here and more information about how failover for the admin node here. The administration guide has a lot of good information about setting up ISE in a distributed deployment.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎01-09-2017

Hi Pradeep,

You can find more information about ISE personas (node types) here and more information about how failover for the admin node here. The administration guide has a lot of good information about setting up ISE in a distributed deployment.

Regards,

-Tim

sagar.pradeep · ‎01-09-2017

Hi Tim,

Thanks for the response. I did refer these docs before posting my question. It didn't answer my specific scenario in the question.

Thanks again,

Pradeep

Timothy Abbott · ‎01-10-2017

Pradeep,

A distributed deployment has at minimum of 4 nodes:

2x Admin+MnT (each one phyiscal server or VM)

2x PSN (each one physical server or VM)

From an authentication perspective, the PSNs can failover and back in a number of ways. Either behind a load balancer or configured as primary and secondary RADIUS servers on the switch. Please see the section "Small Network Deployments" starting on page 5 of the document below:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGui…

Regards,

-Tim

csco11552159 · ‎03-28-2017

Hi Tim,

i have similar question. in my environment, i have F5 LB for PSN traffic. when we tested PSN authentication traffic failover, there are 2 issues we try to understand:

1) when fail happened, all traffic sent to 2nd Radius server configured on Switch, which is correct. But after the 1st server recovery from failure, switch still keep sending authentication to the 2nd Radius server. Do you know why switch still use 2nd server instead fallback to 1st one?

2) when we shut down 1 PSN behind F5, switch seems thing the whole PSN group is down and shift to 2nd Radius server IP configured on switch. Is this normal?

Timothy Abbott · ‎03-28-2017

Hi,

Craig has some really great content on that subject and I think it will help you out. Check out our ISE Load Balancing content here: ISE Load Balancing

Regards,

-Tim

csco11552159 · ‎03-28-2017

Thanks, Tim.

i will take look.

Also I think the answer of my Q1 is the feature " radius-server retry method reorder " needs to be disabled.