Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2704
Views
7
Helpful
4
Replies

ISE failover Questions

Go to solution
Steven Williams
Level 4
Level 4

‎11-26-2018 11:57 AM

When I have two ISE nodes and they are set to primary and secondary on Admin, Monitoring, and Policy how does failover work with this? do I need to create a PAN failover group and add each one to it and enable failover? 

 

When I start adding ISE servers to radius servers do I have to list both IP addresses of the ISE Servers?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎11-26-2018 12:08 PM

It is different for each persona:

 

  1. Admin- in a two node deployment this is active/passive.  If the primary admin fails you would need to go to the GUI of the secondary to promote it to be the primary.  At that point the services will restart and authentication would be disrupted.  If you have more than two nodes you can configure automatic failover.
  2. Monitoring- always active/active.  All ISE nodes log to both monitoring nodes simultaneously. If the primary monitoring node goes down the Admin persona will automatically start pulling data from the other monitoring node. 
  3. PSN- always active and you decide how you use them by how you point your network devices at them.  You might say wired will be PSN #1 first then PSN #2 and wireless PSN #2 first then PSN #1.

View solution in original post

4 Replies 4

Go to solution
paul
Level 10
Level 10

‎11-26-2018 12:08 PM

It is different for each persona:

 

  1. Admin- in a two node deployment this is active/passive.  If the primary admin fails you would need to go to the GUI of the secondary to promote it to be the primary.  At that point the services will restart and authentication would be disrupted.  If you have more than two nodes you can configure automatic failover.
  2. Monitoring- always active/active.  All ISE nodes log to both monitoring nodes simultaneously. If the primary monitoring node goes down the Admin persona will automatically start pulling data from the other monitoring node. 
  3. PSN- always active and you decide how you use them by how you point your network devices at them.  You might say wired will be PSN #1 first then PSN #2 and wireless PSN #2 first then PSN #1.

Go to solution
Nadav
Level 7
Level 7
In response to paul

‎11-26-2018 12:28 PM

Good answer,

 

I'll just add that for Admin failover the primary doesn't automatically become the active node once it's up. You'll need to promote the primary node yourself. 

 

For MnT persona the primary preempts back to working with the active PAN, so no need to promote anything.

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to paul

‎12-11-2018 12:04 PM

So when you add the secondary IP address to the AAA server group within the ASA there is no way to test the secondary node because its not responding to requests until its promoted to primary?
0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Steven Williams

‎12-11-2018 09:53 PM

Requests are handled by PSN nodes, not PAN or MnT. PSN nodes are always active, so you should be getting a reply from any of the PSN nodes assuming the right persona, protocols and policy are in place.

0 Helpful
Customers Also Viewed These Support Documents