05-05-2019 09:45 PM
Hi ISE dev/doc team,
My customer is considering ISE node failover operation during each node failure so evaluating the functional impact on each failure. Now admin guide shows secondary MnT is 'read-only', but we haven't fully understood the actual impact on this.
When a primary Monitoring node goes down, the secondary Monitoring node takes over all monitoring and troubleshooting information. The secondary node provides read-only capabilities.
In our testing, even though the node stayed at secondary MnT(i.e. read-only), it still could record new syslogs sent from other PSNs. What does the secondary MnT acts as 'read-only' for? Could you introduce some examples that secondary MnT can't handle?
05-05-2019 09:56 PM
Hi,
The logs generated by PSN nodes are sent to both Primary and Secondary MnT nodes. There is no sync which happens between primary and secondary node for any information.
For any report generation , PAN queries Primary MnT node for data. For session related queries as well, the request is made to the Primary MnT node only. After Switchover, Secondary node takes over all the capabilities of the Primary MnT node.
Hope this is clear.
Thanks,
Nidhi
05-06-2019 12:04 AM
05-06-2019 06:22 PM
Hi Nidhi,
I might mis-understood your explanation. Let me explain my question again.
> For any report generation , PAN queries Primary MnT node for data. For session related queries as well, the request is
> made to the Primary MnT node only. After Switchover, Secondary node takes over all the capabilities of the Primary
> MnT node.
Do you mean Primary PAN queries both Primary and Secondary MnT(when primary is down) node for data, but queries only Primary MnT(even though primary is down) for session related report?
Now I and my customer is considering the situation where primary MnT is down but keep secondary MnT as secondary(no promotion). In the situation, PAN will move to secondary MnT for monitoring data soon.
i.e.
Query for monitoring data
Primary PAN ----------------------------> Secondary MnT(now active)
Secondary PAN(do nothing) Primary MnT(down).
With the situation, we would like to clarify functional gap between P-PAN/P-MnT pair and P-PAN/S-MnT pair.
Could you comment on this?
Especially it's still unclear to me that the meanings of 'read-write' and 'read-only' on the admin guide.
Now the guide says primary MnT has read-write function and secondary MnT only has read-only function.
Could you explain with which operation doesn't work on secondary MnT? What are we unable to write to secondary MnT?
05-08-2019 08:46 AM - edited 05-08-2019 10:17 PM
Editing the response to avoid confusion -
Couple of things to consider when Primary MnT is down.
- Alarms are generated only from PMnT . So if PMnT goes down, you will not get the alarms until the node is down or you promote the SMnT node.
- As I mentioned earlier, PAN always queries PMnT for dashboard data and report generation. If PMnT is down , only then the query is sent to SMnT. Hence with every request, you will see delay with report generation.
- Until 2.2, even the scheduled reports are run from PMnT node only. This changed from 2.3 onward. I Believe this is the reason why read-only keyword was added. I will work with documentation team to make it clear.
- Another Aspect to consider is , there is data loss on PMnT when its down. But if we do not promote the Secondary MnT to Primary, and once the PMnT is back up, reports will not contain the information for the downtime period Since PAN will contact PMnT only .
Thanks,
Nidhi
05-10-2019 03:28 AM - edited 05-10-2019 03:33 AM
Thanks for the clarification!
> - Alarms are generated only from PMnT . So if PMnT goes down, you will not get the alarms until the node is down or you promote the SMnT node.
Thanks. But in my lab testing, Home page still show some ALARMS during PMnT down.
I guess you mean some type of Alarms will not appear during PMnT down. Could you introduce some examples?
And more 1 point...
> until the node is down or you promote the SMnT node.
This means "until the node is returned" actually?
- As I mentioned earlier, PAN always queries PMnT for dashboard data and report generation. If PMnT is down , only then the query is sent to SMnT. Hence with every request, you will see delay with report generation.
Understood. Thanks.
- Until 2.2, even the scheduled reports are run from PMnT node only. This changed from 2.3 onward. I Believe this is the reason why read-only keyword was added. I will work with documentation team to make it clear.
I'm still not sure the relationship between "Scheduled report" function and "read-write/only" term...I look forward to next update on checking with doc team.
- Another Aspect to consider is , there is data loss on PMnT when its down. But if we do not promote the Secondary MnT to Primary, and once the PMnT is back up, reports will not contain the information for the downtime period Since PAN will contact PMnT only .
Understood. I suggested my customer to reserve long maintenance window, backup operational DB from secondary and load the DB into new primary before registering the new PMnT in the maintenance time.
05-15-2019 04:42 AM - edited 06-04-2019 06:36 AM
I checked with Engineering team and Alarms are generated from both PMnT and SMnT.
If PMnT is down, SMnT detects that the node has been down based on the syslogs and starts triggering the alarm.
However, there is a slight delay until the secondary node detects that the primary is down and might see some alarms missing.
Regarding the Read-Write/read-only wording in Config Guide , we are working with documentation team to have better explanation in the document.
05-16-2019 10:13 PM - edited 06-23-2019 10:48 PM
Hi,
<Remove some statement because above response about ALARM from Nidhi is updated>
BTW could you tell me the ALARM implementation.
> SMnT detects that the node has been down based on the syslogs and starts triggering the alarm.
Does "triggering the alarm" mean alarm is fired to pPAN and pPAN store historical alarm data?
or Are all ALARMs for all nodes stored in MnT like report data and PAN query ALARM data whenever user open ALARM dashlet?
05-29-2019 08:36 PM
Hi Nidhi,
Thanks for looking into this issue. I just wanted to know if there are any updates on this since the customer requested an update from Cisco.
05-30-2019 10:34 PM
Taken offline !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide