Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
726
Views
10
Helpful
2
Replies

ISE in Standalone deployment with automatic failover

Go to solution
kkvitovs
Cisco Employee
Cisco Employee

‎09-17-2019 05:41 AM

Hello team,

Could you advise if we support the following design Node 1: PAN+MNT+PSN, Node 2:PAN+MNT+PSN and Node 3: Health Check node for automatic failover?

"Cisco ISE supports manual and automatic failover. With automatic failover, when the Primary PAN goes down, an automatic promotion of the Secondary PAN is initiated. Automatic failover requires a non-administration secondary node, which is called a health check node. The health check node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the health check node initiates the promotion of the Secondary PAN to take over the primary role."
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_011.html#ID59

But is it supported for a Standalone ( All personas running on the same appliance or VM ) deployment, where we need the automatic failover? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-17-2019 08:52 AM

It's not a tested deployment model as you already pointed out. I have used it in the lab without issue, but labs are not production.

If node 3 is not handling any authentication, and you were to open a TAC case, it would be easy enough to deregister it. I've found TAC typically wants you to conform to the stated supported parameters when troubleshooting advanced issues.

I don't usually leverage automated failover in two node deployments, I prefer to control this manually so the process doesn't prompt the only remaining good PSN to reload when you need it up for authentication.

View solution in original post

2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-17-2019 06:29 AM

I don't see why that design would not be supported.  Technically, it isn't a standalone deployment once you add the third node, which would have to be a PSN.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-17-2019 08:52 AM

It's not a tested deployment model as you already pointed out. I have used it in the lab without issue, but labs are not production.

If node 3 is not handling any authentication, and you were to open a TAC case, it would be easy enough to deregister it. I've found TAC typically wants you to conform to the stated supported parameters when troubleshooting advanced issues.

I don't usually leverage automated failover in two node deployments, I prefer to control this manually so the process doesn't prompt the only remaining good PSN to reload when you need it up for authentication.
Customers Also Viewed These Support Documents