cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

66
Views
10
Helpful
2
Replies
Cisco Employee

ISE in Standalone deployment with automatic failover

Hello team,

Could you advise if we support the following design Node 1: PAN+MNT+PSN, Node 2:PAN+MNT+PSN and Node 3: Health Check node for automatic failover?

"Cisco ISE supports manual and automatic failover. With automatic failover, when the Primary PAN goes down, an automatic promotion of the Secondary PAN is initiated. Automatic failover requires a non-administration secondary node, which is called a health check node. The health check node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the health check node initiates the promotion of the Secondary PAN to take over the primary role."
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_011.html#ID59

But is it supported for a Standalone ( All personas running on the same appliance or VM ) deployment, where we need the automatic failover? 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: ISE in Standalone deployment with automatic failover

It's not a tested deployment model as you already pointed out. I have used it in the lab without issue, but labs are not production.

If node 3 is not handling any authentication, and you were to open a TAC case, it would be easy enough to deregister it. I've found TAC typically wants you to conform to the stated supported parameters when troubleshooting advanced issues.

I don't usually leverage automated failover in two node deployments, I prefer to control this manually so the process doesn't prompt the only remaining good PSN to reload when you need it up for authentication.
2 REPLIES 2
Beginner

Re: ISE in Standalone deployment with automatic failover

I don't see why that design would not be supported.  Technically, it isn't a standalone deployment once you add the third node, which would have to be a PSN.

VIP Advocate

Re: ISE in Standalone deployment with automatic failover

It's not a tested deployment model as you already pointed out. I have used it in the lab without issue, but labs are not production.

If node 3 is not handling any authentication, and you were to open a TAC case, it would be easy enough to deregister it. I've found TAC typically wants you to conform to the stated supported parameters when troubleshooting advanced issues.

I don't usually leverage automated failover in two node deployments, I prefer to control this manually so the process doesn't prompt the only remaining good PSN to reload when you need it up for authentication.