Solved: ISE Licensing Consumption in Cluster

csco10675262 · ‎12-15-2023

Hi,

I am new to ISE 3.x licensing and like to enquire if there is a 2 node ise setup in cluster HA, I like to ask what would the license be seen if 50 essential is added to primary node and 50 essential is added to secondary node. During normal time, would ISE allow 100 concurrent devices or it is limited to 50 since primary node only have 50 essential license?

I am aware on how ise behave when the primary node becomes offline however not too sure during normal time, would the license on secondary node be counted to the total pool or it is based on primary node license only?

Any suggestion is appreciated

ammahend · ‎12-17-2023

The way I understood is ISE see the license count on Primary only, So if you have 50 licenses on primary and 50 licenses on secondary, ISE see 50 licenses when both systems are running and if primary fails and secondary is promoted to primary ISE still sees 50 licenses but from secondary (now promoted to primary). But that does not mean you must purchase 50+50 licenses if you want to support 50 sessions, once primary fails you get 30 days grace period to rejoin primary before you go out of compliance, if you can not do that then you can release the licenses reserved on original primary and reserve the required licenses on the newly promoted primary.

-hope this helps-

View solution in original post

ammahend · ‎12-15-2023

license are added to a pool in smart licensing portal and consumes on per sesson basis, irrespective of node, so if both primary and secondary have 50 concurrent sessions each then 100 licenses are consumed from pool

-hope this helps-

csco10675262 · ‎12-15-2023

Hi,

Thank you for the reply. Does it still apply even for air-gapped deployment of ISE?

ammahend · ‎12-16-2023

No, it works differently, it required an on-prem smart software manager (ssm) server and specific license reservation, read here for details, table 2 has examples

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_licensing.html#concept_lnz_tmr_h4b

-hope this helps-

csco10675262 · ‎12-17-2023

Hi,

Appreciate for the update. I have read the document yourself had provided however what i dont understand, during normal time when both the primary and secondary ise nodes are running, would ISE sees the license as 50 or 100? Specific license reservation would be applied on primary and secondary ise nodes with each having 50 essential license which i am not too sure if ISE would see 50 or 100 license when both the nodes are running without internet access and SSM?

Anyway i do know for ISE would require twice the license count for seamless failover and without any restriction due to admin read only. It is just for my information on the above scenario if ISE sees 50 or 100 license when both nodes are running without internet and SSM available.

ammahend · ‎12-17-2023

The way I understood is ISE see the license count on Primary only, So if you have 50 licenses on primary and 50 licenses on secondary, ISE see 50 licenses when both systems are running and if primary fails and secondary is promoted to primary ISE still sees 50 licenses but from secondary (now promoted to primary). But that does not mean you must purchase 50+50 licenses if you want to support 50 sessions, once primary fails you get 30 days grace period to rejoin primary before you go out of compliance, if you can not do that then you can release the licenses reserved on original primary and reserve the required licenses on the newly promoted primary.

-hope this helps-

csco10675262 · ‎12-17-2023

Much appreciated on the update. The reason i mention purchase of 50+50 license is exactly like what yourself had mentioned, after 30 days, can always rehost and when the primary node is available again to perform another rehost. As the client environment has operations policies, the purchase of the 50 + 50 license would make more sense to them.

Once again, Thank you for the update