Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2524
Views
10
Helpful
3
Replies

Failback To Primary Server After X Minutes

Go to solution
mykys
Level 1
Level 1

‎01-13-2021 05:04 AM - edited ‎01-13-2021 05:05 AM

Hi, 

 

We got two LDAP servers: primary and secondary:

ISE.PNG

What does Failback To Primary Server After X mites mean under the failover configuration?

 

LDAP.PNG

Does that mean we always use the secondary server until it fails?

Thanks,

Myky

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-13-2021 07:51 AM

AFAIK no.  My understanding is that the failback timer will tell ISE when to try to use ldap svr1 again.  Have you confirmed that ISE thinks both are up during your testing? Have you tested with the other configuration telling ISE to always access ldap svr1 first, and reviewed your results?

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-13-2021 06:08 AM

Here is an overview/description straight from Cisco docs:

-Cisco ISE supports failover between a primary LDAP server and a secondary LDAP server. In the context of LDAP authentication with Cisco ISE, failover applies when an authentication request fails because Cisco ISE could not connect to an LDAP server. Failover can occur when the server is down or is otherwise unreachable by Cisco ISE. To use this feature, you must define the primary and secondary LDAP servers, and you must set failover settings.

-If you establish failover settings and if the first LDAP server that Cisco ISE attempts to contact cannot be reached, Cisco ISE always attempts to contact the other LDAP server. The first server that Cisco ISE attempts to contact might not always be the primary LDAP server. Instead, the first LDAP server that Cisco ISE attempts to contact depends on the previous LDAP authentication attempts and on the value that you enter in the Failback Retry Delay box.

HTH!

Go to solution
mykys
Level 1
Level 1
In response to Mike.Cifelli

‎01-13-2021 06:48 AM

Thanks and l did check the KB before posting here!

 

It's still a bit confusing, as both servers are up but most queries hit secondary.

 

Is Failback Retry Delay box different from the Failback To Primary Server option? 

 

Thanks,

Myky

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-13-2021 07:51 AM

AFAIK no.  My understanding is that the failback timer will tell ISE when to try to use ldap svr1 again.  Have you confirmed that ISE thinks both are up during your testing? Have you tested with the other configuration telling ISE to always access ldap svr1 first, and reviewed your results?

Customers Also Viewed These Support Documents