Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
2
Replies

Radius dead server with LB

Go to solution
csavas
Cisco Employee
Cisco Employee

‎10-19-2018 01:56 AM

Hi all,

I have a general design question;

is there a need at all to have a dead server configured on ISE if we have an LB in place?

What is the general recommendation?

 

 

Thanks,

Cengiz

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ben Walters
Level 3
Level 3

‎10-19-2018 05:08 AM

It really depends on your ISE setup, if you only have one site where your ISE servers sit and they are all behind a LB for the services you don't have to worry about a dead server backup because the LB should determine if a server failed and remove it from the pool while the others still serve requests. 

 

However if you have 2 different sites each with their on set of ISE servers you could configure your devices to use one as the primary and the second as the dead server backup. This is how ours is setup, we have a main and backup datacenter which has 2 ISE pools behind LBs.

 

Unless of course you were using something like F5's GTM (Big-IP DNS) that does LB across the WAN. 

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10

‎10-19-2018 05:30 AM

If your ports are in open mode you don't need the dead server config at all.  If you are in closed mode, you also have to think about the site losing access to the LB VIP.  It is unlikely that the VIP will be down, but what if the site loses access to the VIP for some reason.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ben Walters
Level 3
Level 3

‎10-19-2018 05:08 AM

It really depends on your ISE setup, if you only have one site where your ISE servers sit and they are all behind a LB for the services you don't have to worry about a dead server backup because the LB should determine if a server failed and remove it from the pool while the others still serve requests. 

 

However if you have 2 different sites each with their on set of ISE servers you could configure your devices to use one as the primary and the second as the dead server backup. This is how ours is setup, we have a main and backup datacenter which has 2 ISE pools behind LBs.

 

Unless of course you were using something like F5's GTM (Big-IP DNS) that does LB across the WAN. 

0 Helpful

Go to solution
paul
Level 10
Level 10

‎10-19-2018 05:30 AM

If your ports are in open mode you don't need the dead server config at all.  If you are in closed mode, you also have to think about the site losing access to the LB VIP.  It is unlikely that the VIP will be down, but what if the site loses access to the VIP for some reason.

0 Helpful
Customers Also Viewed These Support Documents