Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3526
Views
0
Helpful
8
Replies

ISE Auto Failover

Go to solution
Jason Maynard
Cisco Employee
Cisco Employee

‎01-08-2019 05:16 AM

I want to confirm this is still true today with 2.4

https://community.cisco.com/t5/identity-services-engine-ise/pan-auto-failover-for-2-ise/td-p/3512753

 

I require automatic failover for guest/sponsorship services and currently running in standalone mode.

 

It appears that the minimum deployment mode in this case is medium. Example: 

  • PAN/MNT Primary (DC1)
  • PAN/MNT Secondary (DC2)
  • PSN1 (DC1)
  • PSN2 (DC2)

 

PSNs also acting as health check boxes for their respective DC.

 

Can I get confirmation?

 

Also, based on the timers are we looking at best time for guest services to be available during auto failover is 20 minutes?

 

Thanks 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-08-2019 06:37 AM

I assume you’re talking about PAN auto failover correct? Correct minimum deployment requires PAN/MNT on their own boxes and PSN outside of this deployment to monitor. See sizing guide.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-000000b1

see here for what’s available when the PAN is down
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

The default times should be fine.

View solution in original post

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Maynard

‎01-08-2019 03:24 PM

Regarding the timers, I don't know if there is enough field experience to answer this reliably, but let's be clear about what this Automatic PAN failover is for.  If the PAN fails, then Guests will still get to the guest portal and MAB etc will still work.  The urgency is around the Sponsor Portal because that will be unavailable while the PAN is not running 100%.  That's the only issue as far as I know.  How quickly do you need the Sponsor portal back up?  20min sounds reasonable.  Why not make it more aggressive?  Because if the PAN is restarted intentionally (or there is a transient LAN failure), then you don't want to Auto failover to kick in and start causing havoc.  Leave yourself some room.  Remember that this mechanism causes the Standby to restart - that is not fast. So you want to avoid that if it's not required.

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-08-2019 06:37 AM

I assume you’re talking about PAN auto failover correct? Correct minimum deployment requires PAN/MNT on their own boxes and PSN outside of this deployment to monitor. See sizing guide.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-000000b1

see here for what’s available when the PAN is down
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID59

The default times should be fine.
0 Helpful

Go to solution
Jason Maynard
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-08-2019 11:46 AM

Just to be clear - 

 

Multiple DCs I would required a medium deployment 

  • PAN/MNT Primary (DC1)
  • PAN/MNT Secondary (DC2)
  • PSN1 (DC1)
  • PSN2 (DC2)

Each PSN acting as a health check node for their respective DC PAN/MNT as well as PSN

 

Single DC is this supported

  • PAN/MNT Primary (DC1)
  • PAN/MNT Secondary (DC1)
  • PSN1 (DC1)

Single PSN acting as a health check node for their respective DC PAN/MNT as well as PSN.

 

Also, with the timers - can I tweak them to reduce the overall time to failover? Recommended?

 

Thanks,
Jason

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Maynard

‎01-08-2019 03:24 PM

Regarding the timers, I don't know if there is enough field experience to answer this reliably, but let's be clear about what this Automatic PAN failover is for.  If the PAN fails, then Guests will still get to the guest portal and MAB etc will still work.  The urgency is around the Sponsor Portal because that will be unavailable while the PAN is not running 100%.  That's the only issue as far as I know.  How quickly do you need the Sponsor portal back up?  20min sounds reasonable.  Why not make it more aggressive?  Because if the PAN is restarted intentionally (or there is a transient LAN failure), then you don't want to Auto failover to kick in and start causing havoc.  Leave yourself some room.  Remember that this mechanism causes the Standby to restart - that is not fast. So you want to avoid that if it's not required.

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎01-08-2019 03:34 PM

Yes agree with Arne. Leave alone . Also have 2 PSNs for redundancy
0 Helpful

Go to solution
Jason Maynard
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-08-2019 03:41 PM

Hey Jason

 

Would 3 be a supported solution 2x PAN/MNt and 1xPSN? Just want to have all the options available - I realize that 2x PSN provides redundancy for policies and health checks but need to be clear what min is supported 

0 Helpful

Go to solution
Jason Maynard
Cisco Employee
Cisco Employee
In response to Arne Bier

‎01-08-2019 03:36 PM

Thanks on the timers. Just need confirmation on the examples single vs. Dual DCs 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Jason Maynard

‎01-08-2019 03:42 PM

They’re fine but make sure to have minimum 2 psns separate from the PAN/MNT in either scenario
0 Helpful
Customers Also Viewed These Support Documents