Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
3
Helpful
5
Replies

Cisco ISE failover test

Go to solution
M Talha
Level 1
Level 1

‎04-09-2025 11:13 PM

Hi Community members,

I have to test failover between ppan and span. what should be the process to test failover ? I have distributed deployment where both ppan and span are in different data centers.

Regards,

MT

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-10-2025 03:07 PM

ISE Admin Node failover happens when you promote the current Standby node to Primary. You can't demote the current Primary.

Browse to the Secondary Admin node and click the Promote button.

At that point, both your Admin nodes will be out of service for a while. The old Primary is restarting and becoming Secondary, and the old Secondary is restarting services to become the new Primary.

If you have MNT and PSN nodes in the network, those will be unaffected during this time. You just won't have any admin GUI to monitor or make any changes.

The other small caveat during this promotion stage, is that Guest account creations won't work - you Guest Portals (running on PSN) will display and allow login etc. - but Sponsor portal won't create new accounts because you need a Primary Admin node to be fully operational to store the data in the master database.

View solution in original post

5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎04-10-2025 03:07 PM

ISE Admin Node failover happens when you promote the current Standby node to Primary. You can't demote the current Primary.

Browse to the Secondary Admin node and click the Promote button.

At that point, both your Admin nodes will be out of service for a while. The old Primary is restarting and becoming Secondary, and the old Secondary is restarting services to become the new Primary.

If you have MNT and PSN nodes in the network, those will be unaffected during this time. You just won't have any admin GUI to monitor or make any changes.

The other small caveat during this promotion stage, is that Guest account creations won't work - you Guest Portals (running on PSN) will display and allow login etc. - but Sponsor portal won't create new accounts because you need a Primary Admin node to be fully operational to store the data in the master database.

Go to solution
M Talha
Level 1
Level 1
In response to Arne Bier

‎04-13-2025 11:53 PM

Thanks a lot @Arne Bier for the brief explanation. I have able to test failover successfully without any issues.

Regards,

MT

0 Helpful

Go to solution
kailandrew60
Level 1
Level 1

‎04-12-2025 04:28 AM - edited ‎04-15-2025 11:46 AM

To test failover between PPAN and SPAN in a distributed deployment, start by simulating a failure on the PPAN, such as shutting it down or disconnecting it from the network. Observe whether the SPAN automatically takes over operations without service disruption. Monitor system logs, alerts, and overall behavior to ensure a smooth transition. Once verified, bring the PPAN back online and check that it properly re-syncs with the SPAN and resumes its role without issues.
A2game

Go to solution
Marcelo Morais
VIP
VIP

‎04-12-2025 07:15 AM

Hi @M Talha ,

1st the basics ... ISE supports automatic failover for the Administration Persona, but:

  • it is disabled by default
  • does not support automatic fallback to the original Primary PAN
  • requires at least 3x Nodes (2x assuming the Administration Persona and 1x the nonAdministration Persona)

2nd before testing failover between PPAN and SPAN, please take a look at: Cisco ISE Administrator Guide, Release 3.4 - Deployment of Cisco ISE, search for:

  • Support for Automatic Failover for the Administration Node
  • High Availability for Administrative Node
  • High-Availability Health Check Nodes
  • Automatic Failover to the Secondary PAN
  • Sample Scenarios when Automatic Failover is Avoided
  • Functionalities Affected by the PAN Automatic Failover Feature
  • Configure Primary PAN for Automatic Failover

3rd testing failover ...

If your Deployment doesn't have automatic failover, please take a look of what @Arne Bier said earlier

If your Deployment have automatic failover, please take a look of what @M Talha  said earlier

 

Hope this helps !!!

 

0 Helpful

Go to solution
Saeed Abd Elhalim Hamada
Spotlight
Spotlight

‎04-14-2025 10:23 AM

it depend you enable automatic failover or not , if you enable it you can go the the PPAN and stop all service  from CLI (application stop ISE ) and after while the failover should be triggered , if you not enable it then you need to make it manually be go the the SPAN and promote it to Primary  

0 Helpful
Customers Also Viewed These Support Documents