Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
1
Replies

High-Availability when using SXP with SGACLs on Branch routers

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎08-13-2018 04:46 AM - edited ‎03-11-2019 01:48 AM

Hi all,

my customer has the following question: They would like to use TrustSec also on Branch Routers (ISR 4k actually) by using SGACLs. The branch router is aquiring IP-SGT mappings via SXP from ISE. Their question is now how to ensure the service if the Branch router is loosing SXP connection to ISE. Is there a way to keep the current learned mappings until SXP-connection is beeing restored? What is the best practice here?

thanks in advnace.

Roland

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎08-13-2018 06:11 AM

Hi Roland,

you're right, if the connection to ISE is lost then by default the mappings will be deleted off the router after 2 minutes.

The normal HA method is to replicate mappings across ISE SXP personas and send mappings from both personas to the router. However, if connectivity to both ISE personas is lost then you have the same problem.

 

If a listener detects the connection going down then delete hold down timer starts (2 minutes). The bindings will be retained till the delete hold down timer expires. This value is not configurable.

One way to retain the bindings is by disabling the SXP keep-alive mechanism or by configuring a high value for the connection hold-time. However in this case if the SXP connection goes down then that will not be detected immediately or not detected at all.

 

Regards, Jonothan.

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎08-13-2018 06:11 AM

Hi Roland,

you're right, if the connection to ISE is lost then by default the mappings will be deleted off the router after 2 minutes.

The normal HA method is to replicate mappings across ISE SXP personas and send mappings from both personas to the router. However, if connectivity to both ISE personas is lost then you have the same problem.

 

If a listener detects the connection going down then delete hold down timer starts (2 minutes). The bindings will be retained till the delete hold down timer expires. This value is not configurable.

One way to retain the bindings is by disabling the SXP keep-alive mechanism or by configuring a high value for the connection hold-time. However in this case if the SXP connection goes down then that will not be detected immediately or not detected at all.

 

Regards, Jonothan.

 

0 Helpful
Customers Also Viewed These Support Documents