03-30-2021 11:08 PM
Hi
We are planning to deploy Cisco ISE with 3 node deployment (Primary PAN, Secondary PAN and monitoring PSN).
Please help in understanding, what will be the impact, if single monitoring PSN goes down?
Regards
Ashish Shah
Solved! Go to Solution.
03-31-2021 07:29 AM
As Marce1000 mentioned, a three node deployment such as this is not an official tested/certified deployment methodology, but it can still work. I tend to see it deployed when companies understand the risk and still want automatic PAN failover to function.
That said, if the third node, PSN in your case, goes down, the primary PAN and secondary PAN will not change. Losing the quorum decider aka health check node. If you were to also lose the primary PAN at the same time as the only health check node you have deployed, then it also won't failover. You wouldn't want this automatic promotion scenario anyways since reloading the only remaining node would result in a complete service outage. So if the primary PAN goes down, and the secondary and health check PSN stay up, then by default the promotion will begin after the p-pan has been down for 10 minutes. The secondary PAN will reload and come up as the primary in 10-15 minutes, the whole process takes 10 min down time + 10-15 for reload = 20-25 minutes.
If you are going to use a three node deployment with PAN failover enabled, then ensure all three nodes are providing the PSN services, and every network device also has the three IP's configured for radius/tacacs. This prevents PAN reloads from causing a complete authentication outage.
1x Pri-PAN/-Pri-MNT/PSN
1x Sec-PAN/Sec-MNT/PSN
1x PSN
You can also read this admin guide section for what is available when the primary admin node is down, they have is broken in to a nice table.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html#ID57
03-31-2021 12:10 AM
- Monitoring PSN ? PSN normally denotes Policy Service Node and is critical , for more info :
M.
03-31-2021 12:22 AM
Hi
I mean what will be the impact of health check PSN goes down.
3 node deployment
Primary PAN, Secondary PAN and health check PSN.
03-31-2021 12:32 AM
- In general that kind of deployment type is discouraged, it is always better to have 2 PSN , which can then be configured
as authenticators on the network devices resulting in fallback and or redundancy when one PSN goes down.
M.
03-31-2021 07:29 AM
As Marce1000 mentioned, a three node deployment such as this is not an official tested/certified deployment methodology, but it can still work. I tend to see it deployed when companies understand the risk and still want automatic PAN failover to function.
That said, if the third node, PSN in your case, goes down, the primary PAN and secondary PAN will not change. Losing the quorum decider aka health check node. If you were to also lose the primary PAN at the same time as the only health check node you have deployed, then it also won't failover. You wouldn't want this automatic promotion scenario anyways since reloading the only remaining node would result in a complete service outage. So if the primary PAN goes down, and the secondary and health check PSN stay up, then by default the promotion will begin after the p-pan has been down for 10 minutes. The secondary PAN will reload and come up as the primary in 10-15 minutes, the whole process takes 10 min down time + 10-15 for reload = 20-25 minutes.
If you are going to use a three node deployment with PAN failover enabled, then ensure all three nodes are providing the PSN services, and every network device also has the three IP's configured for radius/tacacs. This prevents PAN reloads from causing a complete authentication outage.
1x Pri-PAN/-Pri-MNT/PSN
1x Sec-PAN/Sec-MNT/PSN
1x PSN
You can also read this admin guide section for what is available when the primary admin node is down, they have is broken in to a nice table.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html#ID57
03-31-2021 09:35 PM
Hi
Thanks for your valuable inputs. As you mentioned, we will be enabling PSN and MnT persona on Primary and secondary PAN.
03-31-2021 04:52 AM
Hi,
remember that ...
PAN is the single pane of glass for ISE Admin (interface to configure and view Policies), it is the replication hub for all database config changes (responsible for policy sync across Secondary PAN and ALL PSNs)
PSN is the RADIUS/TACACS+ Server.
in other words, if your only PSN goes down, then you loose your RADIUS/TACACS+ Server, you have the option to use a 2x Nodes Deployment:
1st Node: Primary PAN, Primary MnT and PSN 01
2nd Node: Secondary PAN, Secondary MnT and PSN 02
Note: the Health Check PSN is used to automatically Promote the Secondary PAN to primary if the Primary PAN goes down !!!
Hope this helps !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide