Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8684
Views
5
Helpful
5
Replies

Promote Cisco ISE Secondary Admin node to primary Admin Node

Go to solution
Mounica Venigalla
Level 1
Level 1

‎05-09-2018 05:31 AM - edited ‎02-21-2020 10:55 AM

Hi,

 

I am planning on promoting Cisco ISE 2.3 Secondary admin node to primary, it is an 3495 appliance, my question is do i have to do a manual sync up before i promote it and my radius traffic which is currently being served by 4 PSN's will that be disrupted when my PAN restarts?

 

Please Advise.

Thanks

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
agrissimanis
Level 1
Level 1

‎05-09-2018 05:42 AM

Just make sure that the status of all your nodes is healthy and online, there is no need to do manual sync up.

In regards to the RADIUS auths on PSNs , they will not be disrupted, you just loose the ability to make changes and administer the deployment while the secondary admin node is being promoted to primary.

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mounica Venigalla

‎05-09-2018 06:35 AM

You should only need to manually sync if the nodes have a warning telling you they are out of sync.

When you perform the PAN promotion, the services on both nodes will restart at somepoint. Starting/Restarting the services in ISE is generally slow. So if you are running services such as guest, byod or anything that writes to the database you won't have access whilst for a period. If all you are running is basic 802.1x RADIUS auth, as agrissimanis said should not be disrupted.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
agrissimanis
Level 1
Level 1

‎05-09-2018 05:42 AM

Just make sure that the status of all your nodes is healthy and online, there is no need to do manual sync up.

In regards to the RADIUS auths on PSNs , they will not be disrupted, you just loose the ability to make changes and administer the deployment while the secondary admin node is being promoted to primary.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎05-09-2018 05:49 AM

Hi,

The Primary PAN and Secondary PAN should be in sync all the time, unless an issue. No harm running a manual sync before promoting Secondary PAN to Primary.

 

During the period the old P-PAN is down and the Secondary is being promoted to be the new Primary PAN, the database would be offline for a period. Check out this section in the ISE Admin Guide to confirm what will and won't be effected when the PAN is down.

 

Depending on what services you are running on the PSNs you might find you will not impact authentications, but it might be wise to promote the PAN out of hours.

 

HTH

0 Helpful

Go to solution
Mounica Venigalla
Level 1
Level 1
In response to Rob Ingram

‎05-09-2018 06:11 AM

RJI,

My primary PAN is healthy nothing wrong with it and i want to promote my secondary PAN because it was primary prior to my ISE upgrade. Will both the PAN's restart after i login into the secondary pan and promote it?
if so will they restart at the same time or will they restart one after the other?

with respect to manual sync the node will restart again which will result my node to restart twice through the whole process, so i am trying to understand how important it is to do a manual sync.

Thanks
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mounica Venigalla

‎05-09-2018 06:35 AM

You should only need to manually sync if the nodes have a warning telling you they are out of sync.

When you perform the PAN promotion, the services on both nodes will restart at somepoint. Starting/Restarting the services in ISE is generally slow. So if you are running services such as guest, byod or anything that writes to the database you won't have access whilst for a period. If all you are running is basic 802.1x RADIUS auth, as agrissimanis said should not be disrupted.
0 Helpful

Go to solution
Filippo Carzaniga
Level 1
Level 1
In response to Rob Ingram

‎01-22-2020 02:58 AM

Hi All,

 

I personally experienced directly, when you are a design in redundancy Deployment ( 2 Node HA) in which you are PAN/MON/PSN on the same node, I can confirm the Both Node restart and this cause the outage service. 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents