Re: ISE PassiveID High Availability

mimistry · ‎05-26-2019

Hi Experts,

I have two-node ISE deployment at my customer site. Also PassiveID has been enabled on both the nodes. I have around 30 DC's configured for WMI.

Now my question is regarding high availability for passiveID between these two nodes. As per the notes, I can understand that both the nodes are working as Active/Passive ( One node active and the other one hot standby). When I went to the CLI and tried to find out which one is active, I found out my secondary node seems to be active. I could find some logs from "show logging application passiveid-mgmt.log tail"as below:

"2019-05-27 02:12:21,036 INFO [admin-http-pool769][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: The node 'Secondary.org' was selected as primary.

How does this election happens and are both the nodes fetching WMI events from every DC or just primary node fetches WMI events from every DC's and getting synced with secondary node ??

Thanks in advance,

Milin.

Jason Kunst · ‎05-30-2019

I have asked our SMEs to take a look on this

hslai · ‎05-30-2019

...
How does this election happens and are both the nodes fetching WMI events from every DC or just primary node fetches WMI events from every DC's and getting synced with secondary node ??

...

I believe it would be the first node available to become the primary. Only the primary node acts as the WMI client to fetch the Kerberos events of interest from the configured DCs. The second node is standby and will become active and take over the primary role when the existing primary becomes unavailable.

mimistry · ‎05-30-2019

Hi Hslai,

Appreciate and thanks for your response.

In our environment, secondary node is electing as primary for PassiveID and all Kerberos events have been fetched from the secondary node. So, the question here is how does this primary and secondary election happens while using PassiveID in ISE.

PFA logs output from secondary node:

XYZ/admin# show logging application passiveid-mgmt.log tail
2019<2019>-05-29 13:00:29,089 INFO [Thread-122][] cisco.cda.mgmt.client.HttpClientWorker- Connection to '127.0.0.1:8092<>' was established.
2019<2019>-05-29 13:00:29,089 INFO [Thread-122][] cisco.cda.mgmt.client.HttpClientWorker- Sending configuration to '127.0.0.1:8092<>'.
2019<2019>-05-29 13:09:09,151 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: Election time interval has past, initiating election.
2019<2019>-05-29 13:09:29,154 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: Starting election, sending election messages to find active node.
2019<2019>-05-29 13:09:29,519 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: The node 'XYZ.abc.org<>' was selected as primary.
2019<2019>-05-29 13:09:29,519 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: This node (XYZ.abc.org<>) was selected as primary.
2019<2019>-05-29 13:19:29,606 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: Election time interval has past, initiating election.
2019<2019>-05-29 13:19:49,609 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: Starting election, sending election messages to find active node.
2019<2019>-05-29 13:19:50,013 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: The node 'XYZ.abc.org<>' was selected as primary.
2019<2019>-05-29 13:19:50,014 INFO [Thread-120][] cisco.cda.mgmt.rest.ADProbeElectionManager- PassiveID Management Service :: This node (XYZ.abc.org<>) was selected as primary.