Solved: Re: ISE Cluster Application Restart downtime

tsgruu2000 · ‎08-04-2023

We have to allow SHA1 in ISE. This causes an application restart and therefore we expect a downtime of 10-15 minutes of each node.
The deployment consists of 2 admin nodes and 2 PSNs. Are both PSN nodes restarted at the same time or is there an order like when installing a patch? If both go down will definitely need a maintenance window to perform this change.

Arne Bier · ‎08-06-2023

I did this recently and I was logged into the CLI of all of the ISE nodes. When you change the SHA or TLS settings in ISE, you will get a warning in the GUI that all services will restart. And indeed. ALL nodes in the deployment will SIMULTANEOUSLY restart their services. This is a major design flaw but it can't be avoided. I did this change at midnight to be as least disruptive as possible.

But also bear in mind that sessions that are already connected (e.g. switch or WLC or VPN session) will be unaffected by this. The issue is with any NEW sessions or Session Re-authentication - these will fail. And if you have TACACS enabled in ISE, then TACACS will also be dead for a while.

View solution in original post

Arne Bier · ‎08-06-2023

I did this recently and I was logged into the CLI of all of the ISE nodes. When you change the SHA or TLS settings in ISE, you will get a warning in the GUI that all services will restart. And indeed. ALL nodes in the deployment will SIMULTANEOUSLY restart their services. This is a major design flaw but it can't be avoided. I did this change at midnight to be as least disruptive as possible.

But also bear in mind that sessions that are already connected (e.g. switch or WLC or VPN session) will be unaffected by this. The issue is with any NEW sessions or Session Re-authentication - these will fail. And if you have TACACS enabled in ISE, then TACACS will also be dead for a while.