Solved: ISE Health Check Node queries ?

shivaprasad · ‎04-23-2018

Hello Experts,

We have few questions on the ISE Health Check Node.

Can we have ISE health check node in node group for redundancy ? Or How can we achieve redundancy for Health Check Nodes ??

If we have only 1 health check node, does it monitor both primary and secondary PAN ?

Is it better to use both Primary & Secondary Health Check Node for Standalone deployment ?

Is there any future development to include health check in-built on PAN nodes to avoid to have a extra Node for redundancy in case of Standalone Deployment ?

Thanks

Shivaprasad Gudsi

Craig Hyps · ‎04-23-2018

Yes, the health check node can be in a node group, but does not share responsibility with another so no auto-failover for this function. Note that failure of health-check node can be remediated by selecting a new node in PAN FO config. For this to be an issue would entail a double point of failure in the PAN HA as well as separate check node. Making this function redundant would entail enhancement request.

The same node could be configured to monitor both, but typically have one node per DC monitor the local PAN. This is to avoid cases where Inter-DC outage would result in split brain operation. For example, if health check node monitoring PAN at another DC, it would not be able to distinguish node failure from WAN failure.

Yes, it is recommended to have separate health check nodes for primary and secondary PAN, but there is no option for health check nodes in a standalone deployment. The check/monitor node must not be the same node being monitored, and we do not support PANs self-monitoring each other due to split brain potential.

Please work with account team for enhancement and roadmap requests.

/Craig

View solution in original post

Craig Hyps · ‎04-23-2018

Yes, the health check node can be in a node group, but does not share responsibility with another so no auto-failover for this function. Note that failure of health-check node can be remediated by selecting a new node in PAN FO config. For this to be an issue would entail a double point of failure in the PAN HA as well as separate check node. Making this function redundant would entail enhancement request.

The same node could be configured to monitor both, but typically have one node per DC monitor the local PAN. This is to avoid cases where Inter-DC outage would result in split brain operation. For example, if health check node monitoring PAN at another DC, it would not be able to distinguish node failure from WAN failure.

Yes, it is recommended to have separate health check nodes for primary and secondary PAN, but there is no option for health check nodes in a standalone deployment. The check/monitor node must not be the same node being monitored, and we do not support PANs self-monitoring each other due to split brain potential.

Please work with account team for enhancement and roadmap requests.

/Craig