Solved: Re: Inquiry Cisco ISE distributed deployment faillover

Bennett Yeung · ‎12-13-2019

Dear Experts,

I am deploying Cisco ISE distributed deployment, 3 x ISE, ise01 is primary PAN, MnT, PSN node, ise02 is secondary PAN, MnT, PSN node, ise03 is healthy check, PSN node. And I also configured guest access with hotspot, 3 x policy sets for the landing page and ensured the all 3 x policy sets are working. But when I was doing the failover test (disconnected the ise01), the authenticated devices can keep the wifi connection. But the new device cannot connect to the guest wifi, we need to wait for about 20 minutes to resume the new device authentication, util the ise02 admin portal resumed. May I know if it is normal behavior?

I can find cisco document for the failover time for PAN is 20 minutes, but I would like to inquiry if the failover time for guest authenticate service is also need 20 minutes?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID57 Automatic Failover to the Secondary PAN You can configure ISE to automatically the promote the secondary PAN when the primary PAN becomes unavailable. The configuration is done on the primary administrative node (Primary PAN) on the Administration > System > Deployment page. The failover period is defined as the number of times configured in Number of Failure Polls Before Failover times the number of seconds configured in Polling Interval. With the default configuration, that time is 10 minutes. Promotion of the secondary PAN to primary takes another 10 minutes. So by default, the total time from primary PAN failure to secondary PAN working is 20 minutes.

Thanks.

Colby LeMaire · ‎12-13-2019

If you are talking about authentication of a normal user that has already been created, then that is not normal. Check your Radius timeout settings on the WLC to ensure it fails over to the secondary PSN if it doesn't get a response from the first PSN. If you lose the Primary Admin node, it should not affect authentication. The Primary Admin node is only needed for adding new accounts or new devices to the database. When the Primary Admin is down, the PSN's continue to authenticate clients based on the existing database.

View solution in original post

Colby LeMaire · ‎12-13-2019

If you are talking about authentication of a normal user that has already been created, then that is not normal. Check your Radius timeout settings on the WLC to ensure it fails over to the secondary PSN if it doesn't get a response from the first PSN. If you lose the Primary Admin node, it should not affect authentication. The Primary Admin node is only needed for adding new accounts or new devices to the database. When the Primary Admin is down, the PSN's continue to authenticate clients based on the existing database.

Bennett Yeung · ‎12-13-2019

Hi Colby,

Thanks for your reply, since it is guest wifi with hotspot deployment, the device which already authenticated, it is normal. But for the new device cannot connect to guest wifi, per your reply, I think it is normal, right?

Colby LeMaire · ‎12-13-2019

The way that I think of it is that the Primary Admin is the only node that has a writable copy of the database. All other nodes have a read-only version of the database. So if the Primary Admin is down, then no new information can be added to the database. This includes new Guest users that haven't already been created. But anything that was in the database before the failure will continue to work.

Damien Miller · ‎12-13-2019

Officially speaking, a three node deployment such as this is not BU tested and supported. Not that it won't work, but that it's assumed you will either have 2 nodes hosting all roles, or in a hybrid 3+ nodes, that you will only run the PAN/MNT role on two of the nodes.

I personally wouldn't enable PAN failover on 2 node deployment, or any deployment where you are relying on your PAN nodes to also authenticate endpoints (PSN enabled). Impact is something I would want to plan.