02-27-2024 05:14 PM
Hi all,
We have a medium deployment with PAN+MNT personas sharing the same appliance. If I want to restart the PPAN due to resource utilization. Can I promote my SPAN to the new PPAN while the "PAN Auto Failover" enabled, and reload the original PPAN?
Cheers
Saj
02-27-2024 10:28 PM
I would not try that - your primary PAN will have rebooted and restarted long before the SPAN has had a chance to do receive the promotion. It's a big deal, because the SPAN application services restart, along with a wait of around 20-30 minutes sometimes.
02-27-2024 10:59 PM
Thanks Arne for the response. Do we have to disable the "Auto PAN Failover" before restarting the PPAN ? I'm thinking if SPAN promotion gets kicked in while PPAN rebooting.
02-28-2024 12:07 PM
What are your timer settings to trigger the failover?
I used to thing Auto PAN Failover was a good feature when I first started working with ISE. But the general consensus is that it's not a good feature - you would rather promote the Secondary when you REALLY KNOW that the Primary is dead in the water and won't come back up. In most cases someone will notice this. You don't want ISE to do this on its own IMHO
02-28-2024 05:07 PM
it's 10 mins ( Polling interval 120 secs & failure before failover count 5 ).
Thanks for your valuable insight
02-28-2024 06:50 PM
Wow - that's quite sensitive - doesn't leave much room for reboots!
I would like to re-phrase what I said earlier about not using Auto PAN Failover. What I meant to say is that, I would not recommend using it unless you have a customer setup where nobody is looking after ISE. In that case (imagine ISE on the moon!) then the PAN will failover by itself, because there is nobody on the moon to keep an eye on ISE.
There is one genuine use-case for an unattended PAN failover - Sponsored Guest - because, if the Primary PAN is dead, then you cannot create any NEW Guest accounts. If this is an issue for you, and you need 24/7 coverage for your Guest Solution, then perhaps PAN auto-failover is of some benefit - because that feature will quickly notice that your PAN is down at 2AM and failover without having to call an engineer out of their bed.
02-28-2024 07:53 PM
Point taken Arne. Only use case i can think of is failing PPAN in out-of-hours and you want working PAN on next working day.
I would think disable Auto PAN Failover and giving a reboot the PPAN is the way to go
Once PPAN is up, then re-enable the Auto PAN Failover.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide