Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2618
Views
25
Helpful
7
Replies

Do 2 PSN nodes in a Distributed Deployment, balance the traffic?

Go to solution
adriangreniergarcia
Level 1
Level 1

‎01-28-2022 12:52 PM

Hi,

I'm new to ISE distributed Deployment and I would like to confirm the following:

We have 2x ISE Nodes in a Distributed Deployment and both make PAN, Mnt and PSN, in a high availability environment, working a Node as Primary role and the other as Secondary. 

The question came when I see some endpoint authenticating and authorizing in both PSN (some endpoints in Primary Server and other in the Secondary). Why is this behavior? As per my understanding all endpoints should be authenticating with the Primary Server and if it fail, all should go to the Secondary. Can some tell me if I am wrong?

Thanks in advance for your assistance.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to adriangreniergarcia

‎01-28-2022 05:06 PM

Looks like you are trying to use an ASA, I have bad news here, the ASA does not act like a switch or wireless LAN controller. 

 

The ASA will begin to use the first one that appears in the config, but if that fails/goes down/timeout for any reason then the ASA will begin using the second RADIUS server and hold on to it. It will only switch back to the original "primary" if the requests begin to fail. The ASA won't preempt itself back to the first unless it is forced to. 

 

Switches and WLCs will wait a dead time then return back to using the configured list order. 

View solution in original post

Go to solution
Aref Alsouqi
VIP
VIP
In response to Damien Miller

‎01-29-2022 04:29 AM

I think that would be the case if you leave the Reactivation Mode to its default which is the Depletion option, however, I think if you change the Reactivation Mode to be Timed that will reactivate the dead server after 30 secs.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
adriangreniergarcia
Level 1
Level 1

‎01-28-2022 12:56 PM

Forgot to clarify, the 2 PSN Nodes are not in the same Node group and the are in a different LAN.


Thanks

0 Helpful

Go to solution
tjezer
Level 1
Level 1
In response to adriangreniergarcia

‎01-28-2022 01:37 PM

Hi!

The primary and secondary concept is applicable just for the PAN & MnT. The
PSN nodes are active/active. You can put them behind a Load Balancer or
make a manual load balancing, configuring it directly in your endpoints.

Regards!

Go to solution
Marcelo Morais
VIP
VIP
In response to tjezer

‎01-28-2022 02:14 PM

Hi @adriangreniergarcia ,

 beyond what @tjezer said ... please take a look at: Cisco ISE Device Administration Prescriptive Deployment Guide. for a better understand of the Deployment Models.

 

Hope this helps !!!

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-28-2022 04:00 PM

As tjezer pointed out, your PSN personas are active/active in that any node in the deployment with the session services enabled will be able to process RADIUS requests. How you load balance them is really up to the admin (aka you) to determine. 

With two PSN nodes, you basically have two ideal options;

  1. If you have enough capacity for your expected active endpoints, you can send everything to one PSN as the primary, and also configure the other PSN as the secondary. This can be beneficial for troubleshooting since you always know that PSN 1 "should" be handling the requests under normal circumstances. 
  2. Split the load between the PSN nodes and use one as primary for some network devices, and the other as primary for other network devices. In this scenario you pick the RADIUS server order and the first in the list acts as primary, while the second acts as secondary. Often we split primary and secondary order by geography selecting the closest for primary, further as secondary. 

 

In larger deployments we usually put multiple PSNs behind load balancers, but the same strategy in the above two options still exists. Typically this is four or more PSN nodes with at least two behind each virtual IP the load balancers host. With two PSNs you want them in different geographic locations, so putting them behind a traditional load balancer would not be ideal.

Go to solution
adriangreniergarcia
Level 1
Level 1
In response to Damien Miller

‎01-28-2022 04:36 PM

Hi Damain,

In fact the number 1 is the scenario I want, however for some reason, even when I have the primary Server configured at first in the NAD (configuration below), the end point devices are authenticating and authorizing in the Secondary Server. I will probable restart the secondary ISE server y validate the end point start authenticating with the primary.

Thanks all for your answers.

 

aaa-server ISE-RADIUS protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization
aaa-server ISE-RADIUS (inside) host 180.201.x.x1 -----> Primary Server
key *****
aaa-server ISE-RADIUS (inside) host 180.201.x.x2 ----> Secondary Server
key *****

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to adriangreniergarcia

‎01-28-2022 05:06 PM

Looks like you are trying to use an ASA, I have bad news here, the ASA does not act like a switch or wireless LAN controller. 

 

The ASA will begin to use the first one that appears in the config, but if that fails/goes down/timeout for any reason then the ASA will begin using the second RADIUS server and hold on to it. It will only switch back to the original "primary" if the requests begin to fail. The ASA won't preempt itself back to the first unless it is forced to. 

 

Switches and WLCs will wait a dead time then return back to using the configured list order. 

Go to solution
Aref Alsouqi
VIP
VIP
In response to Damien Miller

‎01-29-2022 04:29 AM

I think that would be the case if you leave the Reactivation Mode to its default which is the Depletion option, however, I think if you change the Reactivation Mode to be Timed that will reactivate the dead server after 30 secs.

0 Helpful
Customers Also Viewed These Support Documents