cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1468
Views
3
Helpful
6
Replies

Difference between enabling Primary/Secondary in ISE and enabling failover

abhijith891
Level 1
Level 1

Hi all,

I have received a distributed environment for Cisco ISE from a client where they have configured the PAN node in one location as Primary in Admin, Sec in Monitoring and another ISE in another location as Secondary in Admin, Primary in Monitoring. So I just wanted to know how different is this scenario if failover was enabled between them.

Regards,

Abhijit

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

As the two ISE nodes are both PAN and MNT, we would need a PSN node, to monitor the availability of the two PANs, in order to configure and enable for PAN failover, as in Configure Monitoring Nodes for Automatic Failover

View solution in original post

6 Replies 6

hslai
Cisco Employee
Cisco Employee

As the two ISE nodes are both PAN and MNT, we would need a PSN node, to monitor the availability of the two PANs, in order to configure and enable for PAN failover, as in Configure Monitoring Nodes for Automatic Failover

Just to add to what Hsing was saying. The link will show how to configure both PAN and MnT failover. You may have to scroll up for PAN failover.

Thanks everyone for your suggestions but I think I have not made myself clear; so i will rephrase. My question was: Whats the difference between enabling failover between 2 devices/personas and configuring primary/secondary between 2 devices/personas.  Which method is better?

MNT failover is always there since ISE 1.0, as long as there are two MNT nodes. When the primary MNT is down, the secondary MNT becomes the active MNT whereas the primary MNT remains primary and would become the active one once its services restored.

Although ISE also supports two PANs since ISE 1.0, it allowed only manually promoting the secondary PAN to primary until ISE 1.4, which introduces the automatic fail-overs for the primary ISE node.

If the link between two sites is fairly reliable, then the automatic fail-over of P-PAN is a good option.

I'll offer up an alternate explanation. 

It's easier to think of the MNT nodes as Active/Active even though you specify one as primary and the other as secondary.  If one MNT fails you will still receive alarms, live logs and reporting as if both were online without having to "failover".  By specifying one as primary you will be leveraging that node for reporting/live logs/alarms.  Both nodes ingest the same logging data and can be thought of as copies of one another.  Data parity applies as long as both nodes are online for the same period.  If one MNT is down for a week, that data will only exist on one node, data is not synced between MNT's.

The admin node roles differ, the primary admin node (PAN) should be thought of as primary and requires failover to continue some deployment operations.  When the PAN fails, many functions in the deployment continue on as if nothing happened.  Depending on the features being utilized by the deployment, losing the PAN could have a high impact.  This is why Cisco introduced automatic PAN failover in 1.4 as hslai mentioned.  If you choose not to enable automatic failover, you will have to log in to the secondary admin and promote it manually.  10-20 minutes after logging in and manually failing over the admin role, deployment functions will continue on. 

Here is a direct link to the features you keep/lose when the PAN fails and you do not have automatic failover enabled.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter…

Thanks Damien. A lot of my doubts are clear now. Cheers