01-17-2018 04:32 AM
Hello Experts!
I would like to understand how ISE HA works Standalone deployment (all services in single node) HA when it's geographically separated. For example, Primary in DC-1 and Secondary in DC-2, and they didn't deploy the health check node.
In extreme case, let's say we lost the connectivity between the DCs, what will happen in the DCs? As this is manual failover design, the DC-1 will work as usual, but what about in DC-2? As far as I know, we can't activate the secondary PAN, but we can use the secondary PSN service meanwhile. Could you let me know what will happen in DC-2?
Any comments would be appreciated!
Thanks,
Jina
Solved! Go to Solution.
01-17-2018 06:02 AM
That is essentially correct. Both PSNs are functional in the 2-node (all persona) deployment. A health check node is not supported in this setup. If the node with Primary PAN fails, then need to promote secondary. There is no requirement for failed PAN to be reachable to promote secondary, as that is the expected scenario.
01-17-2018 05:46 AM
In mine deployment i have 2 nodes . 1 in DC1 and other in DC2
ISE1 in DC 1 primary administration and etc
ISE2 in DC 2 Secondary administration and etc
If connection in DC2 gone or fail for any reason all authentication and etc will pass trough ISE1
If connection in DC1 fail i manualy must promote ISE2 to be primary administration node.
01-17-2018 06:02 AM
That is essentially correct. Both PSNs are functional in the 2-node (all persona) deployment. A health check node is not supported in this setup. If the node with Primary PAN fails, then need to promote secondary. There is no requirement for failed PAN to be reachable to promote secondary, as that is the expected scenario.
01-17-2018 06:36 AM
How about for this scenario:
1) ISE 1 (Primary PAN/MNT, PSN) @ DC 1 while ISE 2 (Secondary PAN/MNT, PSN) @ DC 2 -> connected via MPLS
2) NADs located at DC 1 will be served by ISE 1 with ISE 2 as the secondary PSN, then vice versa for the NADs @ DC 2
Worst case, if all links between DCs goes down but both ISE 1 and 2 are still up. Will PSN @ DC 2 still accept radius auth requests? What will happen with posture checking?
01-17-2018 06:47 AM
If NAD has reachability to a functioning PSN, then they it can auth requests. PSNs do not discriminate which NADs can talk to it provided the NAD is authorized (configured in ISE with correct keys) and authorization policy allows it (which it does by default). However, if PSN cannot reach Primary PAN due to PAN failure or network outage, then some services will be limited or fail. For example, Posture requires PAN be reachable or will fail due to requirement to write data to the endpoint databse. This is covered in ISE documentation.
01-17-2018 07:00 AM
Thanks Craig. I just went through the admin guide, Cisco Identity Services Engine Administrator Guide, Release 2.2 - Set Up Cisco ISE in a Distributed Environment - Cisc…
It says here that Posture will still work when Primary PAN goes down and the Secondary PAN is yet to take over.. is this a doc bug?
01-17-2018 07:24 AM
Ok. Let me clarify. Basic Client Provisioning and Assessment should work. I have not tested in more recent releases to see if writing of Posture fields would actually disrupt posture assessment. Certain functions like Posture Lease would not work (and require new assessment) since the data must be written and replicated by P-PAN. In short, you may be good to go but worth testing. I will also ping our posture team for verification and update thread if new news to report.
01-23-2018 08:21 AM
Hi Craig, going back to the scenario above - Worst case, when the link between P-PAN and S-PAN goes down. Can i go to my S-PAN and promote it as another P-PAN to serve its PSN (standalone deployment) and to serve radius requests within its DC location?
In that case, original P-PAN is still up and running, would it then be possible to have two P-PANs at the same time given that there's no communication links between the PANs?
Design:
1) ISE 1 (Primary PAN/MNT, PSN) @ DC 1 while ISE 2 (Secondary PAN/MNT, PSN) @ DC 2 -> connected via MPLS
2) NADs located at DC 1 will be served by ISE 1 with ISE 2 as the secondary PSN, then vice versa for the NADs @ DC 2
01-23-2018 08:36 AM
We do not support a split brain operation and TAC would not support. If both nodes continued to be active, then you would have issue when link reestablished until reboot once of the boxes. Also, any changes and log data would not be synced after reconnect.
01-23-2018 06:27 PM
Alright, thanks!
03-19-2018 12:09 AM
Hello Criag,
I got a request from Customer for enabling automatic failover in their network. And as per the below document (at botton of this post) it is mentioned that it is supported on PAN in distributed deployment.
Does Automatic failover still work if customer is using Primary (PAN+MNT) & Secondary (PAN+MNT) ??
03-19-2018 08:05 AM
I do not see any mention of deploying this on a node where PAN (Administration) function is running. In first couple paragraphs it clearly states that you cannot support PAN Auto-Failover with only two nodes (as each will have the PAN function) and must use a non-admin node to perform the health check feature...
"Automatic failover requires a non-administration secondary node, which is called a health check node. The health check node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the health check node initiates the promotion of the Secondary PAN to take over the primary role.
To deploy the auto-failover feature, you must have at least three nodes, where two of the nodes assume the Administration persona, and one node acts as the health check node. A health check node is a non-administration node and can be a Policy Service, Monitoring, or pxGrid node, or a combination of these. If the PANs are in different data centers, you must have a health check node for each PAN."