Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3098
Views
10
Helpful
3
Replies

ISE PXGRID Role

Go to solution
bergonzoni
Level 1
Level 1

‎02-21-2020 06:25 AM

Hi,

I have two PAN and one PSN in HQ and one PSN in BO.

I activated PXGRID role on both PSN but PSN in BO is always active.

On remote BO site I have a limited performance (20Mpbs and 100ms) and I prefer to have PXGRID role active on local PSN in HQ.

Can I setup PXGRID in order to use local PSN and keep remote PSN how backup?

Thanks

Marco

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-21-2020 01:14 PM - edited ‎02-21-2020 01:15 PM

Pxgrid is a funny beast to the uninitiated, but here is a crash course on what you are seeing.

As of ISE version 2.4 and newer, there are two flavours of pxGrid, version 1, and version 2.

The active/standby you see on the pxGrid workcenter home page is actually indicating which node is active for pxGrid version 1 services in the deployment. The node that is listed there as active is also the one that has the four pxGrid services in the "running" state when you issue a "show application status ise" from the node CLIs. Pxgrid version 1 is not active active, it is always active/standby. If you want to change the active node in the deployment for pxGrid version 1, you need to stop the services on the current active node, wait for the standby to notice and start its pxGrid version 1 services. PXG v1 leverages XMPP and TCP 5222 for communication.

Pxgrid version 2 is completely separate from the services and active/standby roles we just talked about in the paragraph about pxg v1. It is a web based API that is always active on a 2.4+ PSN with pxGrid persona enabled. It leverages TCP 8910 for communication, and you can confirm if it's active on the node with the webclients tab, or from the cli "tech netstat" command. A ISE v2.4+ deployment can have up to 4 PSNs running the pxGrid persona, only one of those will have pxGrid v1 active, while all four are active for pxGrid version 2.

It is up to the client to be written to either leverage pxGrid version 1, or 2. We do not control this from ISE as it is a developer decision on which to support, and they have to be written differently. ISE 2.4+ will work with both v1 and v2 clients simultaneously.

TLDR:
-Swap pxgrid v1 active/standby be either reloading the current active node, or shutting down the ISE services for a few minutes.
-PXG v1 and v2 are different, v1 only has a single active node, v2 will always be active on all pxg nodes in the deployment. 

View solution in original post

3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-21-2020 01:14 PM - edited ‎02-21-2020 01:15 PM

Pxgrid is a funny beast to the uninitiated, but here is a crash course on what you are seeing.

As of ISE version 2.4 and newer, there are two flavours of pxGrid, version 1, and version 2.

The active/standby you see on the pxGrid workcenter home page is actually indicating which node is active for pxGrid version 1 services in the deployment. The node that is listed there as active is also the one that has the four pxGrid services in the "running" state when you issue a "show application status ise" from the node CLIs. Pxgrid version 1 is not active active, it is always active/standby. If you want to change the active node in the deployment for pxGrid version 1, you need to stop the services on the current active node, wait for the standby to notice and start its pxGrid version 1 services. PXG v1 leverages XMPP and TCP 5222 for communication.

Pxgrid version 2 is completely separate from the services and active/standby roles we just talked about in the paragraph about pxg v1. It is a web based API that is always active on a 2.4+ PSN with pxGrid persona enabled. It leverages TCP 8910 for communication, and you can confirm if it's active on the node with the webclients tab, or from the cli "tech netstat" command. A ISE v2.4+ deployment can have up to 4 PSNs running the pxGrid persona, only one of those will have pxGrid v1 active, while all four are active for pxGrid version 2.

It is up to the client to be written to either leverage pxGrid version 1, or 2. We do not control this from ISE as it is a developer decision on which to support, and they have to be written differently. ISE 2.4+ will work with both v1 and v2 clients simultaneously.

TLDR:
-Swap pxgrid v1 active/standby be either reloading the current active node, or shutting down the ISE services for a few minutes.
-PXG v1 and v2 are different, v1 only has a single active node, v2 will always be active on all pxg nodes in the deployment. 

Go to solution
bergonzoni
Level 1
Level 1
In response to Damien Miller

‎02-25-2020 12:47 AM

Hi,

Thank you for the reply.

PxGrid v2 cannot resolve my problem because Firepower and Stealthwatch support only v.1.

Marco

 

0 Helpful

Go to solution
#Mat
Level 6
Level 6
In response to Damien Miller

‎10-22-2021 02:42 PM

Wonderful explanation!!!!

Thanks!

.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents