Re: Cisco ISE distributed MNT

Craigpaolozzi · ‎10-24-2021

Hello All,

Here is our deployment, DC1 has a PAN and 2 PSN nodes. DC2 also has a PAN and 2 PSN nodes. Both the PAN nodes also hold the MNT roles. We are on ISE 2.7 with patch 5.

We are having issues with logging, when the primary PAN fails over, viewing logs either doesn't work or takes an incredibly long time.

I'm reading conflicting information about which node should hold the primary and secondary MNT roles. Currently the primary PAN node also holds the primary MNT node and secondary PAN holds the secondary MNT node. Is this correct? Or should it be the other way around?

Thanks

Marcelo Morais · ‎10-24-2021

Hi @Craigpaolozzi ,

when you said: "... We are having issues with logging, when the primary PAN fails over, viewing logs either doesn't work or takes an incredibly long time...", please take a look at ISE Admin Guide 2.7:

"... The Operations menu can be viewed only from the Primary PAN..."

"... Both the Primary and Secondary MnT Nodes collect log messages. If the Primary MnT goes down, the Primary PAN points to the Secondary Node to gather monitoring data...".

Hope this helps !!!

Craigpaolozzi · ‎10-25-2021

I understand the concept but it's unclear which way around the MNT roles should be set.

Marcelo Morais · ‎10-25-2021

Hi @Craigpaolozzi ,

I prefer the Primary/Secondary and Secondary/Primary approach for PAN/MnT.

Regards.