Re: Automatic PAN failover not enabled in ISE 3.1

isp3799 · ‎09-03-2022

hello.

This is an issue found during ISE 3.1 testing.

ISE 3.1 primary and secondary nodes are connected.

After shutting down ISE 3.1 Primary for failover testing, I tried tacacs+ authentication on the switch, but it was not possible.

So, when I logged in to ISE 3.1 Secondary and checked, the administrator setting was not possible.

I thought that when ISE 3.1 Primary is terminated, the setting rights or services that can be done in the Primary automatically transfer to the Secondary, but it was not.

When I looked for the settings, there was an Automatic PAN Failover setting, so I tried to activate it, but the checkbox was not checked.

Perhaps there is a problem with the configuration?
Or is there more work to be done?

Damien Miller · ‎09-03-2022

Automatic PAN failover is disabled by default on all versions. In order to enable it you need at least three nodes in the deployment.

I typically leave it disabled because I want to triage the issue that caused the PAN to go offline/fail. If you enable automatic PAN failover you have to understand that it will automatically reload the secondary PAN node in order to bring it up as the replacement primary. In small ISE deployments, if the network devices are not configured correctly with all three nodes, then you can have an authentication outage during the time that both PANs are offline.

Arne Bier · ‎09-04-2022

@isp3799 - what you're experiencing is the normal behaviour of ISE. Primary Admin Node (the one you log into and operate ISE) will sync its data to the Standby Admin Node. But. You cannot use the Standby Admin Node until you promote it to Primary. If the Primary Admin Node fails, then the Standby must be promoted. As Damien said, the automatic promotion is not commonly used and should be left disabled. Log into the Standby and then click the Promote button under Admin > Deployment. And then wait a while for the promotion to happen. It's slow. hence why we don't leave the auto promotion enabled. Sometimes the Primary recovers faster than the promotion!

isp3799 · ‎09-04-2022

Is it not possible to configure failover with 2 nodes?
For example, I wonder if it is possible to configure failover with one PAN node and one PSN node.

And how do you configure PSN node configuration settings?
I don't know how to configure persona as policy service rather than administration.

I'd appreciate it if you could tell me how.

Damien Miller · ‎09-04-2022

No, automatic PAN failover requires at least three nodes in the deployment, you can't enable the feature with less.

As for defining a specific role that a node will operate in, you do this from the Administration > Deployment page. You either register the node and select the role you want it to perform, or after the node is joined you click on the node name and it allows you to select via checkboxes which role the node will perform.

I do not recommend having a single admin node in any deployment. If you have two nodes you should run Admin, Monitoring, and Policy Services on both. A two node deployment is designed to operate with all three roles running on both.