Solved: Failover of the ISE

network_geek1979 · ‎09-19-2019

Folks,

Our ISE environment is configured with a Primary member and then a node added to this distributed environment. The Primary node is in Sydney and the secondary is in Melbourne.

When we login to the primary node it shows all the options as shown below:

The secondary node shows limited options as below:

please can someone help me confirm that this is correct?(IMO it is) :-)

Few Questions:

1. What happens when the primary goes off? Once I promote the secondary node as Primary it should start showing all options, right?

2. Since this is ISE 2.3 the licenses should also migrate, right?

3. when the originally primary nodes comes back up it should take the configuration from the new Primary node , right?

or will it fight to become the primary again?

Thanks!!!!

N.

Mike.Cifelli · ‎09-19-2019

What you see when logged into the GUI of your PAN and secondary PAN is what is to be expected (normal).
1. What happens when the primary goes off? Once I promote the secondary node as Primary it should start showing all options, right?
You have the option to enable PAN Failover so that it automatically happens should the PAN go down. See Administration->System->Deployment->PAN Failover. However, to answer your question, yes once you failover the secondary node will show all admin options.

2. Since this is ISE 2.3 the licenses should also migrate, right?
Yes. Note that ISE licenses have changed a little as of 2.4.x. For example, ISE VM licenses are based on vmware resources to determine small, medium, large.

3. when the originally primary nodes comes back up it should take the configuration from the new Primary node , right?
or will it fight to become the primary again?
Once it comes back up it will take the role of secondary PAN. You can force failover back to the original PAN via promotion.

Good luck & HTH!

View solution in original post

Mike.Cifelli · ‎09-19-2019

What you see when logged into the GUI of your PAN and secondary PAN is what is to be expected (normal).
1. What happens when the primary goes off? Once I promote the secondary node as Primary it should start showing all options, right?
You have the option to enable PAN Failover so that it automatically happens should the PAN go down. See Administration->System->Deployment->PAN Failover. However, to answer your question, yes once you failover the secondary node will show all admin options.

2. Since this is ISE 2.3 the licenses should also migrate, right?
Yes. Note that ISE licenses have changed a little as of 2.4.x. For example, ISE VM licenses are based on vmware resources to determine small, medium, large.

3. when the originally primary nodes comes back up it should take the configuration from the new Primary node , right?
or will it fight to become the primary again?
Once it comes back up it will take the role of secondary PAN. You can force failover back to the original PAN via promotion.

Good luck & HTH!

Arne Bier · ‎09-26-2019

Hi @Mike.Cifelli and @network_geek1979

Regarding the licensing - if the license(s) do not contain the secondary UDI, then the Secondary node will not be licensed after a promotion to primary. Yes, the license file is sync'd across - but it's only useful if the UDI details of BOTH nodes is contained in that file. Watch out for that! And no, there is no way to check what you have uploaded to during the Traditional Licensing file upload. TAC can probably tell you (or perhaps you're lucky enough to still have those .lic files hanging around - in that case, study them carefully and check that both PAN nodes' details are contained and correct).

Another caveat is the VM node rebuild. You will have to re-home the licenses to include the UDI of the newly built VM.

All this is irrelevant if you are using Smart Licensing :-)

Jason Kunst · ‎09-27-2019

This may help as well
https://community.cisco.com/t5/security-documents/how-do-i-rehost-my-existing-ise-license-s-onto-a-new-or/ta-p/3632248