cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5321
Views
3
Helpful
13
Replies

ISE HA scenario

jinapark
Cisco Employee
Cisco Employee

Hello Experts!

I would like to understand how ISE HA works Standalone deployment (all services in single node) HA when it's geographically separated. For example, Primary in DC-1 and Secondary in DC-2, and they didn't deploy the health check node.

 

In extreme case, let's say we lost the connectivity between the DCs, what will happen in the DCs? As this is manual failover design, the DC-1 will work as usual, but what about in DC-2? As far as I know, we can't activate the secondary PAN, but we can use the secondary PSN service meanwhile. Could you let me know what will happen in DC-2?

 

Any comments would be appreciated!

 

Thanks,

 

Jina

1 Accepted Solution

Accepted Solutions

That is essentially correct.  Both PSNs are functional in the 2-node (all persona) deployment.  A health check node is not supported in this setup.  If the node with Primary PAN fails, then need to promote secondary.  There is no requirement for failed PAN to be reachable to promote secondary, as that is the expected scenario.

View solution in original post

13 Replies 13

ognyan.totev
Level 5
Level 5

In mine deployment i have 2 nodes . 1 in DC1 and other in DC2

ISE1 in DC 1 primary administration and etc

ISE2 in DC 2 Secondary administration and etc

If connection in DC2 gone or fail for any reason all authentication and etc will pass trough ISE1

If connection in DC1 fail i manualy must promote ISE2 to be primary administration node.

That is essentially correct.  Both PSNs are functional in the 2-node (all persona) deployment.  A health check node is not supported in this setup.  If the node with Primary PAN fails, then need to promote secondary.  There is no requirement for failed PAN to be reachable to promote secondary, as that is the expected scenario.

macayubi
Level 1
Level 1

How about for this scenario:

1) ISE 1 (Primary PAN/MNT, PSN) @ DC 1 while ISE 2 (Secondary PAN/MNT, PSN) @ DC 2 -> connected via MPLS

2) NADs located at DC 1 will be served by ISE 1 with ISE 2 as the secondary PSN, then vice versa for the NADs @ DC 2

Worst case, if all links between DCs goes down but both ISE 1 and 2 are still up. Will PSN @ DC 2 still accept radius auth requests? What will happen with posture checking?

If NAD has reachability to a functioning PSN, then they it can auth requests.  PSNs do not discriminate which NADs can talk to it provided the NAD is authorized (configured in ISE with correct keys) and authorization policy allows it (which it does by default).  However, if PSN cannot reach Primary PAN due to PAN failure or network outage, then some services will be limited or fail.  For example, Posture requires PAN be reachable or will fail due to requirement to write data to the endpoint databse.  This is covered in ISE documentation.

Thanks Craig. I just went through the admin guide, Cisco Identity Services Engine Administrator Guide, Release 2.2 - Set Up Cisco ISE in a Distributed Environment - Cisc…

It says here that Posture will still work when Primary PAN goes down and the Secondary PAN is yet to take over.. is this a doc bug?

Ok. Let me clarify.  Basic Client Provisioning and Assessment should work.  I have not tested in more recent releases to see if writing of Posture fields would actually disrupt posture assessment.  Certain functions like Posture Lease would not work (and require new assessment) since the data must be written and replicated by P-PAN.  In short, you may be good to go but worth testing.  I will also ping our posture team for verification and update thread if new news to report.

Hi Craig, going back to the scenario above - Worst case, when the link between P-PAN and S-PAN goes down. Can i go to my S-PAN and promote it as another P-PAN to serve its PSN (standalone deployment) and to serve radius requests within its DC location?

In that case, original P-PAN is still up and running, would it then be possible to have two P-PANs at the same time given that there's no communication links between the PANs?

Design:

1) ISE 1 (Primary PAN/MNT, PSN) @ DC 1 while ISE 2 (Secondary PAN/MNT, PSN) @ DC 2 -> connected via MPLS

2) NADs located at DC 1 will be served by ISE 1 with ISE 2 as the secondary PSN, then vice versa for the NADs @ DC 2

We do not support a split brain operation and TAC would not support.  If both nodes continued to be active, then you would have issue when link reestablished until reboot once of the boxes.  Also, any changes and log data would not be synced after reconnect.

Alright, thanks!

Hello Criag,

I got a request from Customer for enabling automatic failover in their network. And as per the below document (at botton of this post) it is mentioned that it is supported on PAN in distributed deployment.

Does Automatic failover still work if customer is using Primary (PAN+MNT) & Secondary (PAN+MNT) ??

Cisco Identity Services Engine Administrator Guide, Release 2.1 - Set Up Cisco ISE in a Distributed Environment [Cisco …

I do not see any mention of deploying this on a node where PAN (Administration) function is running.  In first couple paragraphs it clearly states that you cannot support PAN Auto-Failover with only two nodes (as each will have the PAN function) and must use a non-admin node to perform the health check feature...

"Automatic failover requires a non-administration secondary node, which is called a health check node. The health check node checks the health of Primary PAN. If the health detects that the Primary PAN is down or unreachable, the health check node initiates the promotion of the Secondary PAN to take over the primary role. 

To deploy the auto-failover feature, you must have at least three nodes, where two of the nodes assume the Administration persona, and one node acts as the health check node. A health check node is a non-administration node and can be a Policy Service, Monitoring, or pxGrid node, or a combination of these. If the PANs are in different data centers, you must have a health check node for each PAN."

Hi Craig,

Thanks for your reply.

Sorry for the confusion. My question is little different.

Customer is using Primary PAN+MNT=1 Node, Secondary PAN+MNT=1 Node & 3 x PSN Node.

Can we use the current any PSN as an Health Check Node to monitor above Primary & Secondary PAN+MNT nodes since they are also running MNT persona along with Admin persona ??

Thanks

Shivaprasad Gudsi

Yes, one of the PSNs (or two for DC HA) can be used as health check nodes.