cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
0
Helpful
1
Replies

PAN Auto failover

rajatsha
Cisco Employee
Cisco Employee

Hello Team,

 

One of our customer is using auto PAN failover feature and currently testing few scenarios. As of now the PSN doing the monitoring is in the same datacenter as PAN i.e. Primary PAN being monitored by PSN in primary DC and secondary PAN being monitored by PSN in secondary DC.

 

As per the initial understanding, it is recommended to have monitoring PSN in the same datacenter. Now in this case if there is a complete DR failure scenario i.e primary datcenter is down then the PSN monitoring the PAN will also be down and auto failover for PAN will not trigger (tested).

 

Now my question is can we have the PSN  in separate datacenter i.e. can the Primary PAN monitoring PSN be in secondary DC and viceversa. If not why? I understand that we could get some false positive if there are some delays/issues in network, however we are talking about polltime of 120 seconds and a hold down time around 12 minutes (5 polls), which makes this highly unrealistic (In that case they will have more issues then just ISE failover).

 

Looking for a quick answer as customer is in testing window and we have the opportunity to modify, if we can. Thank you

 

Best Regards,

Rajat Sharma

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Would recommend you look over the performance and scale plus tips and trips to understand the design . Look at Craig Hyps Cisco live Orlando

https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944#toc-hId-1281981443

View solution in original post