Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
157
Views
0
Helpful
1
Replies

Enabling PAN Autofailover in Cisco ise will have production impact

Go to solution
palani2010
Level 1
Level 1

‎04-08-2025 06:31 PM

Enabling PAN Autofailover in Cisco ise will have production impact.

 

Note - Cisco ise has three nodes 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-10-2025 03:14 PM

is there a question?  PAN auto failover is generally a bad idea, unless you have zero support staff and rely on ISE to look after itself to ensure that there is always an admin portal to access (in case the preferred, primary node is offline).  There will always be times when the Primary admin node will be offline for a while (e.g. patching and upgrading or other reasons) - but that might not be a good enough reason to promote the Secondary. Secondary promotion is a very slow process (whether done manually or automatically). If your admin node is down for many hours and you need GUI access, then just promote the Secondary manually. Don't let the timers dictate when that will happen, because it might not be in your favour to do so.

When a failover has occurred, then ISE admin users will also need to know the URL of the new Primary node, unless you have some smart dynamic DNS system that can test which ISE node is the Primary, and set the DNS CNAME accordingly - I am thinking of the F5 GTM for example. Therefore, Auto Failover can also cause a great deal of confusion if this is not handled in a smart way either.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎04-10-2025 03:14 PM

is there a question?  PAN auto failover is generally a bad idea, unless you have zero support staff and rely on ISE to look after itself to ensure that there is always an admin portal to access (in case the preferred, primary node is offline).  There will always be times when the Primary admin node will be offline for a while (e.g. patching and upgrading or other reasons) - but that might not be a good enough reason to promote the Secondary. Secondary promotion is a very slow process (whether done manually or automatically). If your admin node is down for many hours and you need GUI access, then just promote the Secondary manually. Don't let the timers dictate when that will happen, because it might not be in your favour to do so.

When a failover has occurred, then ISE admin users will also need to know the URL of the new Primary node, unless you have some smart dynamic DNS system that can test which ISE node is the Primary, and set the DNS CNAME accordingly - I am thinking of the F5 GTM for example. Therefore, Auto Failover can also cause a great deal of confusion if this is not handled in a smart way either.

0 Helpful
Customers Also Viewed These Support Documents