Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
1
Helpful
3
Replies

ISE Monitoring Node Failover

packet2020
Level 1
Level 1

‎09-09-2024 01:52 AM

Hi All,

I'm currently building a new ISE 3.2 distributed deployment that comprises of 2 x dedicated monitoring nodes.

I'm currently testing resiliency and I wanted to check the expected behaviour of when an MnT node fails as I've read a few contridicting documents. Currently when testing a primary MnT failure (by simply disconnecting the primary MnT from the network), all Alarm notifications and system summary status stats (on the summary dashboard) disapear and no RADIUS or TACACS live logs are displayed on the PAN until I manually promote the secondary MnT node to primary.

Is this the expected behaviour as I've read a few documents that state the primary PAN should detect the loss of the primary MnT and start retreiving logs from the secondary MnT automataically without any manual intervention. Is this correct or will the secondary MnT need to be manually promoted to primary to continue service?

Thanks,

3 Replies 3

Aref Alsouqi
VIP
VIP

‎09-09-2024 03:50 AM

Both primary and secondary MnT should receive the same operational logs simultaneously, however the MnTs don't sync with each other. When the primary MnT goes down the secondary MnT will not be promoted automatically to the primary MnT, however, it should still be able to serve the primary PAN to collect the monitoring data without promoting it manually to the primary MnT. I think this will happen after the primary MnT has gone down for more than 5 minutes.

0 Helpful

packet2020
Level 1
Level 1
In response to Aref Alsouqi

‎09-09-2024 04:34 AM

Hi @Aref Alsouqi 

Thanks for the response. I tested this again, and after the primary MnT goes down, no data is collected or displayed on the primary PAN. The primary MnT node has been down for a total of 2 hours now with no change in behaviour. As soon as I promote the seconday MnT to primary, everything starts working again.

This is what is stated in the ISE 3.2 Admin guide. From what I understand, the primary PAN should point to the secondary node to start retrieving monitoring data, but its not clear if this should be automatic, or after the secondary MnT has been prompted to primary.

"Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary roles for high availability. Both the primary and secondary MnT nodes collect log messages. If the primary MnT goes down, the primary PAN points to the secondary node to gather monitoring data. But the secondary node will not be promoted to primary automatically."

0 Helpful

Aref Alsouqi
VIP
VIP
In response to packet2020

‎09-09-2024 06:50 AM

You're welcome. I agree, it is not very clear on the documentation how the failover would behave in this case. However, I've just gone through the admin guide and the following highlighted line caught my attention which led me to think that promoting the secondary MnT is a requirement to make it an active node:

ArefAlsouqi_1-1725889753745.png

Cisco Identity Services Engine Administrator Guide, Release 3.2 - Deployment of Cisco ISE [Cisco Identity Services Engine] - Cisco

0 Helpful
Customers Also Viewed These Support Documents