Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
137
Views
0
Helpful
1
Replies

ISE Node locate different DC | DC link disconnect

Da ICS16
Level 1
Level 1

‎06-10-2024 02:38 AM

Dear Community,

We use ISE 3.1 

1. Primary Admin Node - DC Secondary site

2. Secondary Node and pxGRID Node - DC Primary site We are planning to perform test ISE functionality to ensure current Node can handle all sessions by disconnect for 1 of DC links.

It mean PAN and Secondary Node no connectivity to each other, assume Secondary Node no connectivity to PAN / down around 3 hours.

Q1: What is the issue if active-active PSN lost connection withing 3 hours, then connection comes back? please share us the best practice.

Q2: Should we de-register both active-active PSN to standalone then connection right back to register?

ISE integrate with AD. Do we have to validate on DNS / IP?

 

Best Regards,

 

0 Helpful
1 Reply 1

ahollifield
VIP
VIP

‎06-10-2024 11:07 AM

What roles are one each node exactly?

PSNs are always active.  What do you mean?  Failover is up to the NAD configuration

No, there should be no need to deregister nodes.

Yes, proper A and PTR records are required for each ISE node.

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

0 Helpful
Customers Also Viewed These Support Documents