Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
5
Helpful
2
Replies

Preparing to do a DR test.

Go to solution
ST13
Level 1
Level 1

‎12-16-2019 03:10 PM - edited ‎12-16-2019 03:11 PM

Good Morning All,
I need to run a DR test on our ISE environment. I was looking at running two tests - Primary offline and Stopping the application server service on the primary box. I have been reading through the doco and this forum and I seem to be getting more confused. So I was hoping someone can put me on the correct path.

I have two boxes, in the following configuration
ISE.png
Now currently, I know both boxes can accept radius traffic, for what ever reason we have one service that uses the secondary as the primary.

So what I want to confirm.
- When I shut the primary down\stop the service, the secondary server should start to receive and processes the traffic, without "promoting to primary", I just won't have access to the administration portal, logs etc?

- If the secondary box, is never promoted to primary, when the primary box comes back up, it will automatically resume the role of primary.

- As both our boxes are running the same services\personas, the only advantage to promoting to primary is to allow administration and monitoring via the secondary server?

- If we promote the secondary box to primary, the documentation says the server reboots. Is this a full reboot (so will not accept radius traffic(so full outage)) or will this only impact our ability to log in and manage the server (administration).

Sorry if this has been asked before, I have tried to look through but couldn't find anything that that matched my requirements.

 

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-16-2019 03:55 PM

Both of your nodes are capable of handling radius authentication at any time. They are active/active.

- When I shut the primary down\stop the service, the secondary server should start to receive and processes the traffic, without "promoting to primary", I just won't have access to the administration portal, logs etc?
This is correct, but you can handle authentication on either node at any time.  Keep in mind that when the primary admin node is down there are some features unavailable still other than the GUI. This link has a list of features that rely on the PAN.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID57

- If the secondary box, is never promoted to primary, when the primary box comes back up, it will automatically resume the role of primary.

Yes, the secondary remains secondary unless you were to log in and promote it.  I do not recommend this unless you plan for an authentication outage.  The node has to reload to promote itself to primary. 

- As both our boxes are running the same services\personas, the only advantage to promoting to primary is to allow administration and monitoring via the secondary server?

See the link above for features unavailable while the primary admin node is down.

- If we promote the secondary box to primary, the documentation says the server reboots. Is this a full reboot (so will not accept radius traffic(so full outage)) or will this only impact our ability to log in and manage the server (administration).

Full reload with authentication impact.  It needs to be planned if it is the only remaining node like in your case.  

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-16-2019 03:55 PM

Both of your nodes are capable of handling radius authentication at any time. They are active/active.

- When I shut the primary down\stop the service, the secondary server should start to receive and processes the traffic, without "promoting to primary", I just won't have access to the administration portal, logs etc?
This is correct, but you can handle authentication on either node at any time.  Keep in mind that when the primary admin node is down there are some features unavailable still other than the GUI. This link has a list of features that rely on the PAN.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html#ID57

- If the secondary box, is never promoted to primary, when the primary box comes back up, it will automatically resume the role of primary.

Yes, the secondary remains secondary unless you were to log in and promote it.  I do not recommend this unless you plan for an authentication outage.  The node has to reload to promote itself to primary. 

- As both our boxes are running the same services\personas, the only advantage to promoting to primary is to allow administration and monitoring via the secondary server?

See the link above for features unavailable while the primary admin node is down.

- If we promote the secondary box to primary, the documentation says the server reboots. Is this a full reboot (so will not accept radius traffic(so full outage)) or will this only impact our ability to log in and manage the server (administration).

Full reload with authentication impact.  It needs to be planned if it is the only remaining node like in your case.  

Go to solution
ST13
Level 1
Level 1
In response to Damien Miller

‎12-16-2019 04:50 PM - edited ‎12-16-2019 04:53 PM

Thanks for the quick response, I went through the link, thankfully we don't use any of the services which will be unavailable.

Now its up to the business to device if they want to test the "promote to primary" function in an outage situation.

Thanks again!

0 Helpful
Customers Also Viewed These Support Documents