Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2691
Views
5
Helpful
6
Replies

Health Check Node within Base licenses? Roadmap question

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee

‎07-31-2017 07:53 AM

Hi ISE experts,

  Health Check Node functionality (providing automatic promotion of Secondary ISE to Primary in failure circumstance) will at some stage be integrated into the base ISE functionality?

  In a 2 node environment where all the processes are on these 2 in A/S configuration, it’s a relatively large cost to go for HCN… and if you want resilient HCN nodes, then its double the cost of the manual approach.

Thanks,

Flavio Costa

1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎07-31-2017 04:56 PM

I would love to see an engineering document from the BU that explains (with some diagrams) how this concept is designed to work, taking into account the various failure components (PAN node failure, inter-PAN link failure, etc.)

In my view, health checking with a two node setup (both of whom are candidates) can get tricky, because when there is a split brain scenario, then either node can promote itself to be the primary (imagine that Node A doesn't hear from Node B - then it thinks, I am the master  - and vice versa). This would arise if both nodes were actually perfectly healthy, but the network link between them gets cut - then they run blind.

A third node provides a concept where we can observe the situation from an outsider's view to determine who is alive or not.  This is why we would nominate a MnT node to be a health checker.

One might argue that failover can and does work with two nodes (e.g. HSRP/VRRP etc) and if one were to place priority values then one doesn't need an external health checker.  Would be good to hear from the BU :-)

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee
In response to Arne Bier

‎08-01-2017 05:35 AM

Arne, thanks for your input, +1 for a doc that explains this concept. I couldn't find anything in our data base, like Cisco Live presentations for instance.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Flavio Costa

‎08-01-2017 06:38 AM

A 2 node deployment with automatic PAN failover is not supported

You would need at least 3 nodes

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID59

Craig hyps cisco live for scalability and high availability

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89293&tclass=popup

Slide 225

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-01-2017 07:17 AM

We don't discuss roadmap question in the public forum. I understand the original ask is to include automatic failover in a base deployment. Please don't confuse this with base licensing. The automatic failover is included in the base licensing. The confusion is a small (base) deployment you can only have 2 nodes max, its a standalone with high availability. No you cannot deploy automatic failover and understand its a cost to have another node and since its external PSN it requires more resources on the PAN/MNT per the deployment guidelines

If you would like to see this functionality in this type of deployment please reach out through your sales channel to our ISE product management team

Cisco Identity Services Engine Installation Guide, Release 2.2 - Network Deployments in Cisco ISE [Cisco Identity Servi…

Go to solution
Flavio Costa
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎08-01-2017 09:10 AM

Jason, thank you very much for your inputs! Very helpful!!

0 Helpful
Customers Also Viewed These Support Documents