cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

189
Views
0
Helpful
2
Replies

CISCO ISE 2.4 Failover and Posture

Hi

We have Cisco ISE 2.4 deployed in Primary/Secondary mode. Currently we are doing AnyConnect VPN posture check via primary node. As per distributed deployment guide, ISE failover will support posture check, but we have define only primary ISE server ip address for posture agent configuration. 

Please advise how we should do the configuration, so that in posture services continue work in case primary server goes down.

2 REPLIES 2
Highlighted

Re: CISCO ISE 2.4 Failover and Posture

I believe the "Call Home List" is where you enter each ISE server's FQDN for connecting to - the 'Discovery Host' is used for the discovery probes, which is optional to enter one here since the posture agent by default sends discovery probes to the default gateway and enroll.cisco.com.

 

That being said I have a similar set up, but failure for posture isn't working - i.e. when my primary ISE node is down posture scan is failing. Curious if anyone has any additional requirements for this to work.

Highlighted
Cisco Employee

Re: CISCO ISE 2.4 Failover and Posture

If you're specifying the ISE FQDN in the Server Name Rules instead of all (*) you would also need to include the secondary node FQDN.

See the following TechNote for details on the Posture flow and suggested troubleshooting. There are a lot of variables with Posture so, if all else fails, you may need to open a TAC case to investigate further.

ISE Posture Style Comparison for Pre and Post 2.2

 

Cheers,

Greg