Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5629
Views
0
Helpful
7
Replies

ISE failover impact

Go to solution
hussainmajeed87
Level 1
Level 1

‎12-01-2020 12:36 PM

Hello, 

 

 We have a power outage last week and the primary ISE went down, but the 2ndary didn't kick in, so we had to do it manually to promote to primary, the process took 1 hour and 30 minutes for initiating the services to be back in running mode. 

 

we face some RAM issues on the 2ndary server and it was slow to back online. 

 

So, after the outage, the primary comes back online but it is showing as a role secondary. 

 

In case we need to push it back as primary, my questions are:


  • How long is going to take for the Failover?
  • What is the impact?
  • As of the second server is running, is the authentication/clients/tacac.s will get disconnected or fail?

current services are: 

Node-1 - Primary - (Role-Secondary )

Node-2 - Secondary - (Role- Primary )

 

Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hussainmajeed87

‎12-02-2020 08:48 AM - edited ‎12-02-2020 05:43 PM

Please see my earlier reply for details on impact.

As long as one server is active (and assuming your network access devices are correctly configured to use both PSNs for AAA services) end users should not be affected during failover.

Update: I believe the 2-node scenario will result in both PSNs being unavailable for a period. In that case, new authentications will not be possible until one of the PSNs comes back up.

The process takes about 15-20 minutes. If I were planning a maintenance window, I would plan for an hour or two and hope to finish early.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marius Gunnerud
VIP
VIP

‎12-02-2020 12:30 AM

What version of ISE are you running?

 

If you go to Administration > System > Deployment and then click on PAN Failover, is the Enable Auto PAN Failover  button selected?  If not select it and fill out the required fields and click save.  Your PAN and MNT nodes should now failover automatically.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
hussainmajeed87
Level 1
Level 1
In response to Marius Gunnerud

‎12-02-2020 08:32 AM

We are running on 2.6.0 156

 

I have checked the PAN and the PAN auto-failover is not enabled, and it could be the reason why didn't fail automatically. 

 

In case we need to push it back as primary, my questions are:


  • How long is going to take for the Failover?
  • What is the impact?
  • As of the second server is running, is the authentication/clients/tacac.s will get disconnected or fail?

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hussainmajeed87

‎12-02-2020 08:48 AM - edited ‎12-02-2020 05:43 PM

Please see my earlier reply for details on impact.

As long as one server is active (and assuming your network access devices are correctly configured to use both PSNs for AAA services) end users should not be affected during failover.

Update: I believe the 2-node scenario will result in both PSNs being unavailable for a period. In that case, new authentications will not be possible until one of the PSNs comes back up.

The process takes about 15-20 minutes. If I were planning a maintenance window, I would plan for an hour or two and hope to finish early.

0 Helpful

Go to solution
hussainmajeed87
Level 1
Level 1
In response to Marvin Rhoads

‎12-02-2020 12:10 PM

Thank you, Marvin, we will try and share the result. 

0 Helpful

Go to solution
hussainmajeed87
Level 1
Level 1
In response to Marvin Rhoads

‎12-07-2020 10:27 AM

Thank you  Marvin, it worked but it took more time than what you have mentioned for syncing and initiating. 

 

Between 00:45 m to 1 Hour. for moving back to the primary.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-02-2020 04:53 AM - edited ‎12-02-2020 05:44 PM

@Marius Gunnerud don't we need a third node to monitor PAN health in order to perform automatic failover? The OP indicated he has only a 2-node deployment.

Even with automatic failover using a third node there is no concept of preemption so failback has to be done manually.

If the deployment is 2 nodes, the PSN role should be running on both and a failover or failback should only take place on one unit at a time so the other PSN persona should always be available to service new authentications.

Also see this good article:

https://bluenetsec.com/promote-ise-secondary-pan-to-become-the-primary/

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Marvin Rhoads

‎12-02-2020 05:45 AM

That is correct @Marvin Rhoads a third node needs to be present to monitor heartbeats.  Overlooked the two node setup.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents