02-10-2017 12:08 AM
Hi All,
I want to ask some question regarding Cisco ISE HA in Small Deployment Network (with two node of ISE):
Thanks for your answers in advance.
Regards,
Kevin
Solved! Go to Solution.
02-10-2017 04:57 AM
Is it true that in Small Deployment, Secondary node need to be promoted manually when Primary node down? Since I read a document that says auto-failover can only be enabled in Distributed Node
Yes, this is true.
If failover is manual, what is the purpose of secondary admin persona since you will need to promote it manually and can not configure policy when it still in secondary position.
The policies and settings (The entire PAN database) is synchronized with the Secondary Admin Node and is kept in synchronization. Once the Secondary is promoted, all the settings and policies previously configured on the Primary Node will be there.
*Remember to add both the Primary and Secondary Admin Nodes to ALL Licenses installed, as these are synchronized as well. If you do not have them both registered on the license you can "Re-Host" the license(s) by following this process:
Will the failover change the IP address of Secondary to Primary node IP address? Must I input Primary and Secondary node IP address to all the NAD?
Both nodes should be added to the NAD in this deployment (Standalone), as each node hosts a Policy Service Persona. It is only the PSNs that are added to the nodes for RADIUS.
Charles Moreton
02-10-2017 04:57 AM
Is it true that in Small Deployment, Secondary node need to be promoted manually when Primary node down? Since I read a document that says auto-failover can only be enabled in Distributed Node
Yes, this is true.
If failover is manual, what is the purpose of secondary admin persona since you will need to promote it manually and can not configure policy when it still in secondary position.
The policies and settings (The entire PAN database) is synchronized with the Secondary Admin Node and is kept in synchronization. Once the Secondary is promoted, all the settings and policies previously configured on the Primary Node will be there.
*Remember to add both the Primary and Secondary Admin Nodes to ALL Licenses installed, as these are synchronized as well. If you do not have them both registered on the license you can "Re-Host" the license(s) by following this process:
Will the failover change the IP address of Secondary to Primary node IP address? Must I input Primary and Secondary node IP address to all the NAD?
Both nodes should be added to the NAD in this deployment (Standalone), as each node hosts a Policy Service Persona. It is only the PSNs that are added to the nodes for RADIUS.
Charles Moreton
02-16-2017 11:53 PM
Thanks Charles for your answers.
It helps very well.
Kevin
02-22-2017 08:08 AM
Hi Charles,
I have follow up questions.
Currently I have ISE deployment with 2 node:
When ISE 1 still up, I can use ISE 2 as radius server for some of my NAD, it's split deployment, isn't it?
When ISE 1 is down, my NAD that use ISE 2 as primary radius server can not authenticate, nor the NAD that use ISE 2 as secondary radius server.
I need to promote ISE 2 to become primary admin to be able to authenticate through ISE 2.
Is this a normal behavior? Do we need to manually promote secondary admin node to make use of redundancy of PSN?
Or do I miss something in my configuration?
Thanks for your help.
Kevin
02-24-2017 11:50 AM
No, something else must be happening. Assuming it’s just a standard authentication to either the internal data store or an external data store (i.e. not trying to create a guest account) ISE 2 should authenticate clients while ISE 1 down. I’d probably start by looking at the live log while in that state.
George
08-13-2019 04:57 AM
hi .
I guess this setup is no more small deployment , but distributed deployment.
05-12-2020 04:08 PM
This small deployment HA makes no sense to me.
With such a great Team at Cisco ... such a huge product Cisco ISE - not possible to do automatic failover with two nodes (in year 2020)...
Guys, I'm a network engineer. If ISE1 goes down... it will be faster for me to fix ISE1 versus go to ISE2 and promote it manually as primary node...
ISE eats so many resources, but has so many issues! This two node automatic HA not possible! vMotion on VMware - not possible, snapshots / backups on VMware - not possible! and list goes on... :)
05-12-2020 04:32 PM
ISE two node work just fine. The PSN functionality work independently of the other functions. If your primary admin node goes down in a two node deployment you lose access to administer and monitor the system until you promote the secondary to primary.
You don't want automatic promotion in a two node setup because when the promotion happens services restart and all functionality is lost. If you had a primary admin node go down in the middle of the day and Cisco allowed automatic failover you would have a 10-20 minute outage. With manual promotion you get to control when the outage occurs.
This is link is from the 2.3 guide but scroll down to the table that shows what services are available when the Admin node is down:
05-13-2020 07:05 AM
Thank You @paul , this is great answer!
I was actually so upset ... as I configured small ISE deployment easily (but 2nd PSN is not responding to RADIUS requests at all when 1st node is UP or DOWN). And in GUI/CLI everything seems to be fine, all services running on 2nd node... using latest ISE 2.6 with latest Patch 6.
05-13-2020 08:57 AM
@paul I have actually fixed my first issue... it was firewall ... Policies needed to be updated to allow communication with ISE2 server.
However, I found another issue which I think cannot be re-solved in this HA mode.
What if ISE1 generated certificate for the user? It has separate CA and as I see these certificates are not synchronized across in HA and ISE2 is not aware of this at all?
Thank You
05-13-2020 04:32 PM
See the following link in the Admin Guide showing the ISE Internal CA hierarchy in a distributed deployment.
Although the Primary and Secondary nodes have separate Node CA and Endpoint CA certificates, they should be signed by the Root CA of the Primary PAN.
If you are not seeing the same (or if you have upgraded from an earlier version of ISE), you might need to regenerate the ISE CA Chain.
05-14-2020 08:47 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide