Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
10
Helpful
3
Replies

ISE 1.4 Released

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-04-2015 08:08 AM - edited ‎03-10-2019 10:42 PM

For those of you who may not have heard, Cisco has released ISE 1.4. The code was posted on 30 April 2015 and release notes are out today (4 May 2015).

A fair number of enhancements are included. The biggest one that stood out for me is  automatic failover for the Administration persona.

 

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-05-2015 01:09 PM

I upgraded my lab deployment today.

The actual ISE upgrade goes pretty quickly - about 20-25 minutes for a 1.3 installation to complete the application upgrade and restart the services. There are only 12 configuration data upgrade steps - not the 60-70 that were indicated in the Upgrade Guide (that number does apply if you are migrating from pre-1.3 in which case you'd be looking at more like 2 hours per upgrade).

I did discover when drilling down into the newly upgraded deployment that automatic PAN failover requires at least 3 nodes (4 recommended). The reason is that at least one non-admin node needs to be a "health check" node. So...I'm deploying a 3rd node now to check it out.

nspasov
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎05-05-2015 04:10 PM

Thanks for the update Marvin. I also got my lab to 1.4 but haven't had the time to stand up another node to test the automagic failover :) 

On a side note, I would not recommend automatic switchover on a NON-distributed deployment. The process initiates a node restart, thus it can actually affect AAA services. So this should only be enabled on deployment with dedicated M&T nodes.

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nspasov

‎05-06-2015 05:44 AM

You're welcome, Neno.

I quite agree about the use cases for PAN failover. I'd only advocate this in a deployment with the Primary and Secondary PANs not running the PSN persona.

I was able to test it successfully and it worked as described in the Admin guide. As expected, a node changing from secondary to primary PAN does require an application restart - 4-5 minutes on my lab VM.  When you bring the former primary back online (I did it by reconnecting the VM NIC in vCenter),  It detects the mate has taken over as active and demotes itself to secondary. Reverting it to primary requires manual intervention via the GUI.

0 Helpful
Customers Also Viewed These Support Documents