Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12249
Views
21
Helpful
9
Replies

PAN Auto-Failover for 2 ISE

Go to solution
junk1
Cisco Employee
Cisco Employee

‎12-13-2017 02:25 AM

Hi

I am working on the ISE part of my DNA SDA customer. There are 2 ISE boxes and each ISE box running PAN, MnT and PSN personas. I would like to know how to enable Auto Failover between PAN. The below URL says, for enabling PAN Auto Failover, I need 3 nodes - 2 of which are admin nodes and a 3rd secondary node.

Please suggest how to achieve Auto failover between PAN in a standalone deployment.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID59


If I promote Secondary PAN to Primary will it restart? Is that an expected behaviour? If it restarts, and as PSN is also running in same box there will be a downtime in the network. Please advise.

Thanks and Regards

V Vinodh.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-13-2017 04:17 AM

Auto failover is not supported with standalone

You will need an external psn to be the health monitor

To be supported for this in production you will need a non standalone setup where the psns are outside of the pan/mnt for a small medium setup

Please see the ISE deployment sizing in the admin guide

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-13-2017 04:17 AM

Auto failover is not supported with standalone

You will need an external psn to be the health monitor

To be supported for this in production you will need a non standalone setup where the psns are outside of the pan/mnt for a small medium setup

Please see the ISE deployment sizing in the admin guide

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-13-2017 04:23 AM

yes when you Promote it will restart and that psn Will be down as it’s running on same system

0 Helpful

Go to solution
junk1
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎12-13-2017 04:50 AM

Thanks for the response.

Could you please confirm if Auto Failover also restarts the ISE services?

Regards

V Vinodh.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to junk1

‎12-13-2017 05:11 AM

I am not sure please read the guide here and I will check

To be safe assume yes they are

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010.html#reference_58F40B0E4D354B4DBB9940E4DB8DC8ED

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to junk1

‎12-13-2017 06:21 AM

Yes. It's to automate the action in promoting the secondary PAN to the primary. It restarts the ISE services on the secondary PAN when we do it manually so the auto failover will restart ISE services as well.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to hslai

‎12-13-2017 03:08 PM

We don't hear much about PAN failover on these forums but I can happily report that I have been using it since day one and it works as designed.

I had the unfortunate experience the other day where the primary PAN popped its clogs for no reason, and the Secondary took over automatically.  It's not quick. And the failure detection should NOT be quick because failover is not to be taken lightly.  Processes take ages to wind down, and then start up again on Secondary.  I have left the default timers in place which means that failover is TRIGGERED after 10 minutes.  At that point the Secondary stops processes and restarts. In my case that's another 10min down.  All in all, from time of PAN Primary failure, until happy eyeballs, you're looking at 20min no Admin.  Here are some other caveats to be aware of

1) While Admin(s) are down, Sponsor Portal works on PSN but nobody can log in - Guest accounts managed by PAN!

2) PAN Auto Failover gets in the way of patches and upgrades.  Make sure you disable PAN failover prior to patching

3) URT for ISE 2.3 couldn't cope with a system where PAN Auto failover was enabled.  Fixed in later release of URT. Just beware that unintentional side effects (weird stuff) can happen with PAN Auto failover.

Go to solution
junk1
Cisco Employee
Cisco Employee
In response to Arne Bier

‎12-13-2017 09:29 PM

Thanks everyone, for the responses. Much appreciated.

0 Helpful

Go to solution
junk1
Cisco Employee
Cisco Employee
In response to Arne Bier

‎12-14-2017 05:00 AM

Hi Arne

I was testing this and observed there is a downtime even for the dot1x radius authentication traffic, while the Secondary PAN is promoting into Primary role. Is that an expected behaviour? As per the below link it is not supposed to impact the radius authentication traffic. Please suggest.

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Set Up Cisco ISE in a Distributed Environment [Cisco …

Thanks

V Vinodh.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to junk1

‎12-14-2017 05:02 PM

Vinodh

I have not tested this scenario.  I have a full distributed deployment (2 x PAN, 2 x MnT and 4 x PSN).  I would suspect that in such a deployment the Radius daemon on my PSN's would be unaffected by the PAN outage. If this is NOT the case then I would be quite alarmed.  WHat does your deployment look like?  Do use allinone nodes?  If so,and if not using some load balancer intelligence, then I would expect the NAS to still send to the Primary AAA (PAN/PSN) and thus impacting traffic.

0 Helpful
Customers Also Viewed These Support Documents