Re: ISE Node locate different DC | DC link disconnect

Da ICS16 · ‎06-10-2024

Dear Community,

We use ISE 3.1

1. Primary Admin Node - DC Secondary site

2. Secondary Node and pxGRID Node - DC Primary site We are planning to perform test ISE functionality to ensure current Node can handle all sessions by disconnect for 1 of DC links.

It mean PAN and Secondary Node no connectivity to each other, assume Secondary Node no connectivity to PAN / down around 3 hours.

Q1: What is the issue if active-active PSN lost connection withing 3 hours, then connection comes back? please share us the best practice.

Q2: Should we de-register both active-active PSN to standalone then connection right back to register?

ISE integrate with AD. Do we have to validate on DNS / IP?

Best Regards,

ahollifield · ‎06-10-2024

What roles are one each node exactly?

PSNs are always active. What do you mean? Failover is up to the NAD configuration

No, there should be no need to deregister nodes.

Yes, proper A and PTR records are required for each ISE node.

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Da ICS16 · ‎07-10-2024

Hello @ahollifield

Yes, I am agree no need to deregister the node.

Once again, both Nodes are locate separate DCs.

Example:

- PAN Node is at DC1, Secondary Node is at DC2.

In case the connectivity at DC2 no connectivity/down more than 10 hours.

And 2nd Node not running during that time. When the 2nd Node start up/ turn on so all services properly working with PAN node at DC1 or ot?

Kindly share the good sanity check and how to verify it.

Thanks,

ahollifield · ‎07-10-2024

There should be no issues beyond possibly needing a manual re-sync if too many messages are queued to be synced between the nodes.