Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
6
Replies

Restarting ISE PPAN when "PAN Auto Failover" is enabled

~Saj~
Level 1
Level 1

‎02-27-2024 05:14 PM

Hi all,

We have a medium deployment with PAN+MNT personas sharing the same appliance. If I want to restart the PPAN due to resource utilization. Can I promote my SPAN to the new PPAN while the "PAN Auto Failover" enabled, and reload the original PPAN?

Cheers

Saj

0 Helpful
6 Replies 6

Arne Bier
VIP
VIP

‎02-27-2024 10:28 PM

I would not try that - your primary PAN will have rebooted and restarted long before the SPAN has had a chance to do receive the promotion. It's a big deal, because the SPAN application services restart, along with a wait of around 20-30 minutes sometimes. 

0 Helpful

~Saj~
Level 1
Level 1
In response to Arne Bier

‎02-27-2024 10:59 PM

Thanks Arne for the response. Do we have to disable the "Auto PAN Failover" before restarting the PPAN ? I'm thinking if SPAN promotion gets kicked in while PPAN rebooting.

0 Helpful

Arne Bier
VIP
VIP
In response to ~Saj~

‎02-28-2024 12:07 PM

What are your timer settings to trigger the failover?

I used to thing Auto PAN Failover was a good feature when I first started working with ISE. But the general consensus is that it's not a good feature - you would rather promote the Secondary when you REALLY KNOW that the Primary is dead in the water and won't come back up. In most cases someone will notice this.  You don't want ISE to do this on its own IMHO

0 Helpful

~Saj~
Level 1
Level 1
In response to Arne Bier

‎02-28-2024 05:07 PM

it's 10 mins ( Polling interval 120 secs & failure before failover count 5 ). 

Thanks for your valuable insight  

0 Helpful

Arne Bier
VIP
VIP

‎02-28-2024 06:50 PM

Wow - that's quite sensitive - doesn't leave much room for reboots!

I would like to re-phrase what I said earlier about not using Auto PAN Failover. What I meant to say is that, I would not recommend using it unless you have a customer setup where nobody is looking after ISE. In that case (imagine ISE on the moon!) then the PAN will failover by itself, because there is nobody on the moon to keep an eye on ISE. 

There is one genuine use-case for an unattended PAN failover - Sponsored Guest - because, if the Primary PAN is dead, then you cannot create any NEW Guest accounts. If this is an issue for you, and you need 24/7 coverage for your Guest Solution, then perhaps PAN auto-failover is of some benefit - because that feature will quickly notice that your PAN is down at 2AM and failover without having to call an engineer out of their bed. 

0 Helpful

~Saj~
Level 1
Level 1
In response to Arne Bier

‎02-28-2024 07:53 PM

Point taken Arne. Only use case i can think of is failing PPAN in out-of-hours and you want working PAN on next working day. 

I would think disable Auto PAN Failover and giving a reboot the PPAN is the way to go

Once PPAN is up, then re-enable the Auto PAN Failover. 

0 Helpful
Customers Also Viewed These Support Documents