cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
638
Views
0
Helpful
1
Replies

ISE failover

jhager001
Level 1
Level 1

Hello,

I have a HA pair of Cisco ISE VM boxes. Somewhere along the timeframe of the past two days, ISE-01 has disassociated itself from our Active Directory while ISE-02 remained connected. This in turn broke our TACACS and Wireless authentication across the board as it wasn't reading Active Directory anymore...

I want to know if anyone knows how this happened, or where to look to find out. 

and

Why didn't ISE-02 pick up as primary authentication when ISE-01 became disassociated... I'm assuming it didn't take over the roles because ISE-01 was still functioning, just not connected to Active Directory... 

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

As long as the PSN role on your primary server was responding to RADIUS requests, the NAD would not try to use the secondary PSN. There's no actual check that the external identity store is reachable in determining if failover should happen.

What version of ISE are you running? ISE 1.4+ is a whole lot better with respect to keeping connected to AD.