CISCO ISE 2.4 Failover and Posture

rashish135@yahoo.co.in · ‎02-25-2020

Hi

We have Cisco ISE 2.4 deployed in Primary/Secondary mode. Currently we are doing AnyConnect VPN posture check via primary node. As per distributed deployment guide, ISE failover will support posture check, but we have define only primary ISE server ip address for posture agent configuration.

Please advise how we should do the configuration, so that in posture services continue work in case primary server goes down.

dlucas · ‎02-26-2020

I believe the "Call Home List" is where you enter each ISE server's FQDN for connecting to - the 'Discovery Host' is used for the discovery probes, which is optional to enter one here since the posture agent by default sends discovery probes to the default gateway and enroll.cisco.com.

That being said I have a similar set up, but failure for posture isn't working - i.e. when my primary ISE node is down posture scan is failing. Curious if anyone has any additional requirements for this to work.

Greg Gibbs · ‎02-26-2020

If you're specifying the ISE FQDN in the Server Name Rules instead of all (*) you would also need to include the secondary node FQDN.

See the following TechNote for details on the Posture flow and suggested troubleshooting. There are a lot of variables with Posture so, if all else fails, you may need to open a TAC case to investigate further.

ISE Posture Style Comparison for Pre and Post 2.2

Cheers,

Greg