cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

234
Views
0
Helpful
8
Replies

Trustsec + ISE Down?

Hi there,

 

What happens to a TrustSec environment when all ISE servers are down?

Will traffic still be forwarded? When will it stop working?

 

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: Trustsec + ISE Down?

Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.

Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.

Cisco Employee

Re: Trustsec + ISE Down?

It can always push new configuration on demand. That has nothing to do with timers/cache.

8 REPLIES 8
Cisco Employee

Re: Trustsec + ISE Down?

The environment data is cached on the NAD so the enforcement should work still.

Re: Trustsec + ISE Down?

Hi Hslay,

 

As far as I remember that cache has a lifetime of typically 24 hours.

Will traffic stop flowing after the cache expires and ISE is down?

 

Thanks

Cisco Employee

Re: Trustsec + ISE Down?

If you have a whole ise outage aren’t there other things to worry about? AAA not working? They would go into critical auth on wired and wireless dot1x wouldn’t work.

Re: Trustsec + ISE Down?

I'm not using ISE for AAA. Another software is classifying the devices and sending the tag info to the NADs.

I'm just using ISE to manage the TrustSec infrastructure (SGACLs, Matrix, etc), and only have one ISE (Express Bundle) per site.

 

Highlighted
Cisco Employee

Re: Trustsec + ISE Down?

Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.

Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.

Re: Trustsec + ISE Down?

Thanks for your answer.

 

If I have a huge cache lifetime, can ISE push new configurations on demand, or will I have to wait for the cache to expire and/or do a manual download at the switch?

Cisco Employee

Re: Trustsec + ISE Down?

It can always push new configuration on demand. That has nothing to do with timers/cache.

Beginner

Re: Trustsec + ISE Down?

Is that possible to keep the downloaded SGACL and TrsutSec environment data after ISE down or the policy expire?

 

Because I still want to keep the SGACL enforcement function working, even though there is no new user can be authentication, after the Cisco ISE down or the policy expires.