Re: Distributed ISE nodes and communication between PSNs

hervetram · ‎03-30-2022

Hello,

We have the following distributed ISE deployment:

Site A: 2x ADM, 2x MNT, 2x PSN

Site B: 2x PSN

Site C: 2x PSN

We opened the ports in the firewalls between Site A and Site B and between Site A and Site C so the PSN can reach the ADM and MNT nodes.

We have some errors in the ISE stating communication failure between the PSN of Site B and PSN of Site C.

Why do the PSN of Site B need to communicate with the PSN of Site C ?

HansK_NL · ‎03-30-2022

Did you create a single "node group", with all PSNs assigned to it?

Such a scenario would explain the behaviour you see: PSNs share their active sessions with all members of the "node group"

If you have a single "node group", please consider creating a "node group" per site and only assign the PSNs for that site.

Please keep in mind that RADIUS session are shared within a "node group", PSNs of site A will have no knowledge about active sessions within site B.

Cheers,

Hans

hervetram · ‎03-30-2022

I did create a node group for each site when I added the nodes, so each node group contains only the 2 PSN of its site.

tjezer · ‎03-30-2022

Hi @hervetram

You can use this document as a guide of the ports and compare with your logs on firewall to check what traffic is the PSNs trying to establish: Cisco ISE Ports Reference

As @HansK_NL said, probably you have just one cluster configured and all PSN personas are trying to sync sessions.

Regards,

Jezer