Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
1
Replies

Cisco ISE nodes location at dedicate DC lose internet connection

Da ICS16
Level 1
Level 1

‎05-16-2024 02:46 AM - last edited on ‎05-22-2024 05:35 PM by Community Manager

Dear Community,

There are 3 ISE node in Deployment node.

Node1( Secondary node) locates at DC Primary.

Node 2 (PAN ) and Node 3 ( pxgrid node ) locate at DC Secondary.

Test scenario:  we would like to test DC Secondary lost internet connection / connectivity cut off. 

Before activity we would  be ready for perquisite stage.

1. Remote to pxgrid node to stop services (application stop ise)?

2. Promote Node 2 to Primary Admin Node?

Kindly advice how to well prepared before activity.

When the DC2 secondary connection back

1. what we need to do step by step?

Kindly share good practice to ensure all ISE nodes services are running and not corrupts / crash ISE database ISE 3.1 P6

Thanks,

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎05-22-2024 08:20 PM

Hello @Da ICS16 

You essentially have 3 ISE nodes in your deployment - each one of these nodes is technically capable of playing all the roles/personas that the product offers.  You mentioned

Node1( Secondary node) locates at DC Primary.

Node 2 (PAN ) and Node 3 ( pxgrid node ) locate at DC Secondary.

 

You didn't mention which nodes are running the Services (RADIUS/TACACS/Portal)?

A three node setup is uncommon. it's more common to find two node setups, where each node runs all personas.

 

Here is how I would set things up

Primary DC

Node 1: Primary PAN / Secondary MNT / pxGrid / Services

Secondary DC

Node 2: Secondary PAN / Primary MNT / pxGrid / Services

(optional) Node 3: Services (why do you even have this third node??)

 

pxGrid has no concept of user-defined Primary/Secondary setting (ISE selects this by itself) and therefore you cannot promote a pxGrid node, nor is it required to do so. You should just ensure you have pxGrid enabled on two nodes in your deployment. That's it. When one of them dies, the other one does the work because the PAN will see it as the last remaining pxGrid node.

 

If you disconnect DC 2 from the ISE nodes in DC1, then the following will happen

Node 1 will still be the Primary active PAN, and the Monitoring role will need to be set to Primary (I don't recall ISE promoting the Monitoring Role automatically). Since you have enabled pxGrid on that node, it will work there. And all your services will still be running (RADIUS/TACACS/Portals). Your network devices (switches/routers/WLC etc) can use Node 1 or Node 2 (as long as they can reach these ISE nodes). I guess if you killed off DC2 comms, then network devices might not necessarily be able to talk to Node 2.  But nothing changes on Node 2 - it continues running as it did before.  Node 1 will complain that it has lost sync to Node 2.

There is no additional license cost to enable pxGrid on another ISE node.

Enabling TACACS is licensensed per node - be careful.

Enabling RADIUS and Portals on nodes also does not cost extra. You only pay for what is used per endpoint authenticated. 

 

0 Helpful
Customers Also Viewed These Support Documents