cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2706
Views
5
Helpful
6
Replies

Health Check Node within Base licenses? Roadmap question

Flavio Costa
Cisco Employee
Cisco Employee

Hi ISE experts,

  Health Check Node functionality (providing automatic promotion of Secondary ISE to Primary in failure circumstance) will at some stage be integrated into the base ISE functionality?

  In a 2 node environment where all the processes are on these 2 in A/S configuration, it’s a relatively large cost to go for HCN… and if you want resilient HCN nodes, then its double the cost of the manual approach.

Thanks,

Flavio Costa

1 Accepted Solution

Accepted Solutions
6 Replies 6

Arne Bier
VIP
VIP

I would love to see an engineering document from the BU that explains (with some diagrams) how this concept is designed to work, taking into account the various failure components (PAN node failure, inter-PAN link failure, etc.)

In my view, health checking with a two node setup (both of whom are candidates) can get tricky, because when there is a split brain scenario, then either node can promote itself to be the primary (imagine that Node A doesn't hear from Node B - then it thinks, I am the master  - and vice versa). This would arise if both nodes were actually perfectly healthy, but the network link between them gets cut - then they run blind.

A third node provides a concept where we can observe the situation from an outsider's view to determine who is alive or not.  This is why we would nominate a MnT node to be a health checker.

One might argue that failover can and does work with two nodes (e.g. HSRP/VRRP etc) and if one were to place priority values then one doesn't need an external health checker.  Would be good to hear from the BU :-)

Arne, thanks for your input, +1 for a doc that explains this concept. I couldn't find anything in our data base, like Cisco Live presentations for instance.

A 2 node deployment with automatic PAN failover is not supported

You would need at least 3 nodes

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID59

Craig hyps cisco live for scalability and high availability

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89293&tclass=popup

Slide 225

Jason Kunst
Cisco Employee
Cisco Employee

We don't discuss roadmap question in the public forum. I understand the original ask is to include automatic failover in a base deployment. Please don't confuse this with base licensing. The automatic failover is included in the base licensing. The confusion is a small (base) deployment you can only have 2 nodes max, its a standalone with high availability. No you cannot deploy automatic failover and understand its a cost to have another node and since its external PSN it requires more resources on the PAN/MNT per the deployment guidelines

If you would like to see this functionality in this type of deployment please reach out through your sales channel to our ISE product management team

Cisco Identity Services Engine Installation Guide, Release 2.2 - Network Deployments in Cisco ISE [Cisco Identity Servi…

Jason, thank you very much for your inputs! Very helpful!!