Solved: Re: Cisco ISE HA behavior if both nodes lost connection to each other?

jj2048 · ‎09-29-2021

Full Question:

What is the behavior of Cisco ISE in HA when both nodes lost connectivity with each other but both nodes are still up?

Scenario:

Let's say that Cisco ISE standalone are both installed on two sites A and B. Suddenly the connection between A (ISE-A) and B (ISE-B) are cut off, but both Nodes are still up.

1. What is the expected behavior when this occurs?

-Will ISE services such as tacacs/radius both work with respect to each site?

-Will we be unable to monitor (radius/tacacs live logs) the authentications on Site B (ISE-B) only or both sites? (Refer to Assumption 1)

Assumptions

1. ISE-A (Primary Admin, Secondary MnT, PSN Active)

2. ISE-B (Secondary Admin, Primary MnT, PSN Active)

3. Site A Network Devices are radius/tacacs pointed to ISE-A as primary and ISE-B as secondary

4. Site B Network Devices are radius/tacacs pointed to ISE-B as primary and ISE-A as secondary

5. Site A and B both have dedicated AD/DNS servers, and are still reachable on both ISE.

I appreciate any feedback or additional comments.

Marcelo Morais · ‎09-29-2021

Hi @jj2048 ,

1st:

PSN will work even if PAN (Primary and/or Secondary) is down !!!

Note: special attention for the following bug: CSCvu62938 Posture fails when primary PSN/PAN are unreachable.

2nd:

All PSNs will send their logging data to the MnT Node as Syslog Messages (UDP port 20514).

When there are two MnT Nodes, all ISE Nodes send their audit data to both MnT Nodes at the same time.
Upon an MnT failure, all Nodes continue to send logs to the remaining MnT Node. Therefore, no logs are lost. The PAN retrieves ALL log and report data from the remaining MnT Node, so there is no administrative function loss, either. However, the log database is not synchronized between the Primary and Secondary MnT Nodes. Therefore, when the MnT Node returns to service, a backup and restore of the MnT Node is required to keep the two MnT Node in complete sync.

3rd:

Automatic Failover (to promote the Secondary PAN to Primary PAN) requires a Non-Administration Secondary Node, called a Health Check Node. This Node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the Health Check Node initiates the promotion of the Secondary PAN to take over the primary role. To deploy the Automatic Failover feature, you MUST have at least three Nodes.

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎09-29-2021

Hi @jj2048 ,

1st:

PSN will work even if PAN (Primary and/or Secondary) is down !!!

Note: special attention for the following bug: CSCvu62938 Posture fails when primary PSN/PAN are unreachable.

2nd:

All PSNs will send their logging data to the MnT Node as Syslog Messages (UDP port 20514).

When there are two MnT Nodes, all ISE Nodes send their audit data to both MnT Nodes at the same time.
Upon an MnT failure, all Nodes continue to send logs to the remaining MnT Node. Therefore, no logs are lost. The PAN retrieves ALL log and report data from the remaining MnT Node, so there is no administrative function loss, either. However, the log database is not synchronized between the Primary and Secondary MnT Nodes. Therefore, when the MnT Node returns to service, a backup and restore of the MnT Node is required to keep the two MnT Node in complete sync.

3rd:

Automatic Failover (to promote the Secondary PAN to Primary PAN) requires a Non-Administration Secondary Node, called a Health Check Node. This Node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the Health Check Node initiates the promotion of the Secondary PAN to take over the primary role. To deploy the Automatic Failover feature, you MUST have at least three Nodes.

Hope this helps !!!

jj2048 · ‎09-29-2021

Hi, @Marcelo Morais

This helps a lot! Very informative and made me understand it better.

Thank you!