Solved: Re: Cisco ISE question - Page 2

adamscottmaster2013 · ‎05-28-2025

Let say you have a 4 nodes ISE environment:

node1: Primary PAN/Primary MnT in AWS USEast-1,

node2: Secondary SAN/Secondary MnT in AWS USWest-1,

node3: PSN in AWS USEast-1,

node3: PSN in AWS USWest-1,

Let say node1 goes down unexpectedly and you promote node2 to be the PAN and PMnT. Two hours later, node1 comes back online. What is going to happen to your cluster because both node1 and node2 are now PAN and Primary MnT? Is this going to cause an issue? How are you going to fix this?

adamscottmaster2013 · ‎05-29-2025

@Aref Alsouqi: Here is what happened. Everything was working fine. Node1 was PAN/PMnT and node2 was SAN/SMnT. I removed VPC peering between USEast-1 and USWest-1, so that node1 & node3 could NOT communicate with node2 and node4. I also performed went into AWS console and power OFF node 1. After that, I promoted node2 to PAN/PMnT. Ten hours later, I restored the VPC peering between USEast-1 and USWest-1 and powered up node1 shortly after that. This is where node1 and node2 were both showed up as PAN/PMnT.

Aref Alsouqi · ‎05-29-2025

Would the whole time that node1 was down exceeded 12 hours?

adamscottmaster2013 · ‎05-29-2025

@Aref Alsouqi: it is possible that node1 was down for more than 28 hours, now that I remember. Cisco documentation stated that:

Actions must be taken to bring the PAN back into deployment within 12 hours.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_deployment.html

What happened if the PAN node is down for more than 12 hours?

ahollifield · ‎05-29-2025

You will need to perform a manual sync on the node.

Aref Alsouqi · ‎05-30-2025

That seems to be the issue then. Although the documentation doesn't expand much on that, but I think it means exactly what you'd experienced. Tbh, this is something I'd never tested before, but it seems if the PAN goes offline for more than 12 hours it does get disconnected logically from the deployment as you could see.

adamscottmaster2013 · ‎05-29-2025

Can anyone explain what this mean? According to Cisco documentation:

Actions must be taken to bring the PAN back into deployment within 12 hours.

What happen if the PAN is down for more than 12 hours? What will happen then?

ahollifield · ‎05-29-2025

You will need to select the node in the deployment page and click Sync Up

Marcelo Morais · ‎06-26-2025

Hi @adamscottmaster2013 ,

when the PPAN is not online during the SPAN promotion to primary:

the other Nodes identify and accept the SPAN as their New PPAN.
the SPAN identity that the PPAN is not online

00 SPAN promotion to primary.png

after SPAN promotion to primary with PPAN down, the PPAN Nodes Status in the SPAN Deployment page is red

01 SPAN after promotion with PPAN down - Deployment page.png

after PPAN is back online, all Nodes "understand" that this PPAN is not the "real PPAN" and in the SPAN Deployment the Yellow icon - Replication Stopped appear:

during this time, the PPAN back online become a SPAN:

at this point, going back to the SPAN and execute a Sync with the (old) PPAN is the right thing to do:

sync in progress ...

05 Sync In Progress.png

the (old) PPAN is now connected to the SPAN (the new PPAN) :

At this point you are able to promote the old PPAN back to PPAN.

Hope this helps !!!