cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1679
Views
3
Helpful
6
Replies

PAN Failover time in ISE 2.1 is 45 minutes

umahar
Cisco Employee
Cisco Employee

Hello,

What is the ideal time taken for PAN Failover in ISE 2.1 ?

I've seen Cisco Live slides mention 15 - 20 minutes but in our testing it took between 35 - 45 minutes.

The customer has raised serious concerns since new endpoints could not be profiled during this transition.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

This failover is configurable by the polling interval and the count. When it not happening as expected, please analyze the timeline based on the debug logs and verify whether the monitoring node(s) not detecting the events fast enough. Please engage Cisco TAC, if needed.

View solution in original post

6 Replies 6

hslai
Cisco Employee
Cisco Employee

This failover is configurable by the polling interval and the count. When it not happening as expected, please analyze the timeline based on the debug logs and verify whether the monitoring node(s) not detecting the events fast enough. Please engage Cisco TAC, if needed.

A couple points here:

  1. I usually see 30 minutes or so in my deployments.  Remember that not only is there time to detect the primary PAN went down but the bulk of the time is the service restart on the secondary PAN to make it the primary.  An ISE service restart takes 15 minutes at a minimum.
  2. PAN failover should have nothing to do with profiling.  That is a PSN function.  In order to do PAN failover you must be in at least a 4 node deployment so I am assuming you have separated your PSN function from your PAN/M&T functions.  If that is the case the status of the PANs and who is primary/secondary is completely irrelevant to the functioning of the PSNs.  Both PANs could be dead and the PSNs will happily continue on doing their job.

umahar
Cisco Employee
Cisco Employee

Paul, Thanks for your comments.

PAN needs to be up for new endpoints to be profiled.

Existing profiled endpoints will have no issue in getting authenticated but new endpoints will not be profiled unless a PAN is up and running .

Thanks,

Utkarsh

Does the PAN need to be up to profile or does one PSN profile but the PAN is needed to update all the other PSNs?

Sent from my iPhone

umahar
Cisco Employee
Cisco Employee

PAN needs to be up for new endpoints to be profiled.

Existing profiled endpoints will not have any issue as profiling information already stays with PSN.

Check this document for ISE 2.1

Cisco Identity Services Engine Administrator Guide, Release 2.1 - Set Up Cisco ISE in a Distributed Environment [Cisco …

The document for ISE 1.4 says otherwise

Ahh thanks. I haven’t looked at that in detail before. Learned something new about ISE. Now I can take the rest of the week off. ☺

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250