cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2276
Views
10
Helpful
9
Replies

Functional diffs between primary/secondary MnT

masyamad
Cisco Employee
Cisco Employee

Hi ISE dev/doc team,

 

My customer is considering ISE node failover operation during each node failure so  evaluating the functional impact on each failure. Now admin guide shows secondary MnT is 'read-only', but we haven't fully understood the actual impact on this.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID95

Automatic Failover Process

When a primary Monitoring node goes down, the secondary Monitoring node takes over all monitoring and troubleshooting information. The secondary node provides read-only capabilities.

 

In our testing, even though the node stayed at secondary MnT(i.e. read-only), it still could record new syslogs sent from other PSNs. What does the secondary MnT acts as 'read-only' for?  Could you introduce some examples that secondary MnT can't handle?

 

 

 

9 Replies 9

Nidhi
Cisco Employee
Cisco Employee

Hi, 

The logs generated by PSN nodes are sent to both Primary and Secondary MnT nodes. There is no sync which happens between primary and secondary node for any information.

For any report generation , PAN queries Primary MnT node for data. For session related queries as well, the request is made to the Primary MnT node only.  After Switchover, Secondary node takes over all the capabilities of the Primary MnT node. 

Hope this is clear.

 

Thanks,

Nidhi 

Hi Nidhi,
Thanks for the update. Regarding report generation, admin guide says secondary MnT run instead of Primary.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011111.html?bookSearch=true#ExportSummary
> If the primary MnT node is down, the scheduled report export job will run on secondary MnT node.

So I think secondary node also has same capabilities. Could you double check?

Hi Nidhi,

 

I might mis-understood your explanation. Let me explain my question again.

 

> For any report generation , PAN queries Primary MnT node for data. For session related queries as well, the request is
> made to the Primary MnT node only. After Switchover, Secondary node takes over all the capabilities of the Primary
> MnT node.

 

Do you mean Primary PAN queries both Primary and Secondary MnT(when primary is down) node for data, but queries only Primary MnT(even though primary is down) for session related report?

 

Now I and my customer is considering the situation where primary MnT is down but keep secondary MnT as secondary(no promotion). In the situation, PAN will move to secondary MnT for monitoring data soon.

 

i.e.

              Query for monitoring data

Primary PAN ----------------------------> Secondary MnT(now active)

Secondary PAN(do nothing)                 Primary MnT(down).

 

With the situation, we would like to clarify functional gap between P-PAN/P-MnT pair and P-PAN/S-MnT pair.

Could you comment on this?

 

Especially it's still unclear to me that the meanings of 'read-write' and 'read-only' on the admin guide.

Now the guide says primary MnT has read-write function and secondary MnT only has read-only function. 

Could you explain with which operation doesn't work on secondary MnT? What are we unable to write to secondary MnT?

 

 

 

Editing the response  to avoid confusion - 

 

Couple of things to consider when Primary MnT is down. 

- Alarms are generated only from PMnT . So if PMnT goes down, you will not get the alarms until the node is down or you promote the SMnT node. 

- As I mentioned earlier, PAN always queries PMnT for dashboard data and report generation. If PMnT is down , only then the query is sent to SMnT. Hence with every request, you will see delay with report generation. 

- Until 2.2, even the scheduled reports are run from PMnT node only. This changed from 2.3 onward. I Believe this is the reason why read-only keyword was added. I will work with documentation team to make it clear. 

- Another Aspect to consider is , there is data loss on PMnT when its down. But if we do not promote the Secondary MnT to Primary, and once the PMnT is back up, reports will not contain the information for the downtime period Since PAN will contact PMnT only . 

 

Thanks,

Nidhi

 

Thanks for the clarification!

> - Alarms are generated only from PMnT . So if PMnT goes down, you will not get the alarms until the node is down or you promote the SMnT node.

Thanks. But in my lab testing, Home page still show some ALARMS during PMnT down.

ALARMS.png

I guess you mean some type of Alarms will not appear during PMnT down. Could you introduce some examples?

And more 1 point...

>  until the node is down or you promote the SMnT node.

This means "until the node is returned" actually?

- As I mentioned earlier, PAN always queries PMnT for dashboard data and report generation. If PMnT is down , only then the query is sent to SMnT. Hence with every request, you will see delay with report generation.

Understood. Thanks.

- Until 2.2, even the scheduled reports are run from PMnT node only. This changed from 2.3 onward. I Believe this is the reason why read-only keyword was added. I will work with documentation team to make it clear.

I'm still not sure the relationship between "Scheduled report" function and "read-write/only" term...I look forward to next update on checking with doc team.

- Another Aspect to consider is , there is data loss on PMnT when its down. But if we do not promote the Secondary MnT to Primary, and once the PMnT is back up, reports will not contain the information for the downtime period Since PAN will contact PMnT only .

Understood. I suggested my customer to reserve long maintenance window, backup operational DB from secondary and load the DB into new primary before registering the new PMnT in the maintenance time.

 

 

I checked with Engineering team and Alarms are generated from both  PMnT and SMnT. 

If PMnT is down, SMnT detects that the node has been down based on the syslogs and starts triggering the alarm. 

However, there is a slight delay until the secondary node detects that the primary is down and might see some alarms missing.

Regarding the Read-Write/read-only wording in Config Guide , we are working with documentation team to have better explanation in the document.

Hi,

<Remove some statement because above response about ALARM from Nidhi is updated>

 

BTW could you tell me the ALARM implementation.

 

> SMnT detects that the node has been down based on the syslogs and starts triggering the alarm.

 

Does "triggering the alarm" mean alarm is fired to pPAN and pPAN store historical alarm data?

or Are all ALARMs for all nodes stored in MnT like report data and PAN query ALARM data whenever user open ALARM dashlet? 

 

 

 

 

Hi Nidhi,

 

Thanks for looking into this issue. I just wanted to know if there are any updates on this since the customer requested an update from Cisco.

 

 

 

Taken offline !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: