Re: Cisco ISE question

adamscottmaster2013 · ‎05-28-2025

Let say you have a 4 nodes ISE environment:

node1: Primary PAN/Primary MnT in AWS USEast-1,

node2: Secondary SAN/Secondary MnT in AWS USWest-1,

node3: PSN in AWS USEast-1,

node3: PSN in AWS USWest-1,

Let say node1 goes down unexpectedly and you promote node2 to be the PAN and PMnT. Two hours later, node1 comes back online. What is going to happen to your cluster because both node1 and node2 are now PAN and Primary MnT? Is this going to cause an issue? How are you going to fix this?

ahollifield · ‎05-28-2025

Nothing. You need to manually fail back. node1 will come in as secondary PAN.

adamscottmaster2013 · ‎05-28-2025

Are you sure about "Nothing. You need to manually fail back. node1 will come in as secondary PAN"? Because that is not what I experienced, and I was running ISE 3.1 patch-9.

ahollifield · ‎05-28-2025

That assumes that the node has operational communication still with the other PAN. ymmv if you are having WAN transport issues.

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/identity-service-engine-software-3-1-3-2.html

adamscottmaster2013 · ‎05-28-2025

@ahollifield: There was no WAN issue because I purposely null route between AWS USEast-1 and AWS USWest-1 VPCs where those ISEs resided. When I removed null route ten hours later, I had issues with ISEs. The latency between USEast-1 and USWest-1 is around 60ms, well within the limits of ISE (I think). Node1 could ping node2 and vice versa, and Security Group is wide open to allow 0.0.0.0/0 on all tcp and udp ports.

ahollifield · ‎05-29-2025

What do you mean? You removing the route literally was causing a WAN issue...

adamscottmaster2013 · ‎05-29-2025

@ahollifield: Yes, I removed the VPC peering to cause WAN outage in order to simulate a DR scenario. When I restored the VPC peering ten hours later, it should NOT have caused any issues, according to what you said, but it did.

ahollifield · ‎05-29-2025

What issues exactly?

adamscottmaster2013 · ‎05-29-2025

Both node1 and node2 were showing up as PAN/PMnT. That's the issue.

ahollifield · ‎05-29-2025

did one have a yellow triangle next to it? Do you have screenshot you can share? Did this actually cause any operational issue?

adamscottmaster2013 · ‎05-29-2025

In node1 UI, it shows node2 as "red". In node2 UI, it shows node1 as "red". Node1 said it is PAN/PMnT. Node2 said it is PAN/PMnT.

ahollifield · ‎05-29-2025

was the WAN still broken at this time? The icon should have been yellow, not red.

Did this actually cause any operational issues?

adamscottmaster2013 · ‎05-29-2025

WAN has been restored for the past 36 hours after being broken for about 28 hours. It is causing any operational issues because I do not have a need to make any configuration change at this time. This is not a good situation.

ahollifield · ‎05-29-2025

Open a TAC case.

Aref Alsouqi · ‎05-29-2025

What issues did you experience? ISE does not support preemption. As @ahollifield mentioned, if the primary PAN goes down and you promote the secondary PAN to become the primary, then when the original primary comes back online it will become the new secondary PAN and will stay like that until you repromote it to become the primary again. Same thing when you use auto-failover, when the original primary comes back online it will become the new secondary node until you manually repromote it to become the primary.