Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
7
Replies

pxGrid High availability

Go to solution
e-chuah
Level 1
Level 1

‎09-26-2022 09:14 AM

Hi,

I am running ISE 3.1.
two nodes:

Node1:
- Primary PAN
- Primary MnT
- PSN1
- pxGrid 1

Node2:
- Secondary PAN
- Secondary MnT
- PSN2
- pxGrid 2

I understand that ISE 3.1, only pxgrid v2 is supported and we can run pxigrid active/active.

In the above setup, if Node1 fails, Primary PAN fails. Have to bring up Secondary PAN manually.
During this time, if secondary PAN is not up yet, will my existing pxGrid services affected?
I will assume that Node2 pxGrid 2 will still be available.

Is this the correct understanding ?

Thanks
Eng Wee

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-26-2022 10:21 AM

The pxgrid service on the secondary node might still respond on port 8910 since pxgv2 is active/active, but the high availability guide indicates that when the primary admin node is down, pxgrid services will not be available. I haven't tested this personally, but I suspect the guide is correct. 

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_deployment.html#ID59

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-26-2022 10:21 AM

The pxgrid service on the secondary node might still respond on port 8910 since pxgv2 is active/active, but the high availability guide indicates that when the primary admin node is down, pxgrid services will not be available. I haven't tested this personally, but I suspect the guide is correct. 

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_deployment.html#ID59

0 Helpful

Go to solution
e-chuah
Level 1
Level 1
In response to Damien Miller

‎09-26-2022 04:25 PM

Thanks Damien for the reply. I believe you are right based on the documentation provided.

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Damien Miller

‎09-27-2022 04:27 PM

That table does not provide the full details, so it is a bit misleading. See the following table pulled from the CiscoLive BRKSEC-3432 session. The MnT node publishes the session directory to PXG nodes.

Screen Shot 2022-09-28 at 9.20.29 am.png

 

0 Helpful

Go to solution
e-chuah
Level 1
Level 1
In response to Greg Gibbs

‎10-02-2022 08:35 AM

Hi Greg,

Thanks for the inputs. I will further test this out in the lab to understand the behaviour.

Rgds

Eng Wee

 

 

 

0 Helpful

Go to solution
peter.matuska1
Level 1
Level 1

‎04-11-2024 06:09 AM

basic question...if I do the integration FMC<->ISE and I shutdown FMC, what would happen? Is pxgrid communication done directly between FTD and ISE or FMC is some kind of proxy for pxgrid? So in this case high availability for FMC is a must?

thank you

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to peter.matuska1

‎04-11-2024 07:06 AM

@peter.matuska1 the FTD learns the IP/User bindings from the FMC, which learns them from ISE via pxGrid. If you only have a single FMC and you lose that, no new IP/username bindings will be learnt by the FTDs. So yes, have HA FMC in this scenario.

0 Helpful

Go to solution
peter.matuska1
Level 1
Level 1
In response to Rob Ingram

‎04-11-2024 07:08 AM

ok, that's what I thought. thank you for confirmation.

0 Helpful
Customers Also Viewed These Support Documents