05-03-2017 01:27 AM - edited 03-11-2019 12:41 AM
Hi,
We have two PSN ISE and we specified on WLC to use ISE1 as server 1 Authentication server. We removed the ISE2 because of some issue but after we added it again all authentication transferred to ISE2. On WLC, the fallback mode is off.
When I issued show tech on ISE, I saw below output.
Displaying ISE deployment ...
*****************************************
Node Config Details
NAME PERSONA ROLE ACTIVE REPLICATION
------------------- --------------- ---------- ---------- ---------------
ISE1 PAN,MNT,PSN PRIMARY STANDBY Not Applicable
ISE2 PAN,MNT,PSN SECONDARY ACTIVE SYNC COMPLETED
Is there a way to force the ISE1 to become active?
Thanks!
05-03-2017 03:11 AM
Hi Mady
It could be during the time of the SYNC, WLC marked ISE1 as down because of the default Radius Server Timeout of 2 Sec which could be fairly aggressive if the ISE1 is highly overloaded with Authentications requests plus Sync operation to the secondary role.
I would recommend to Increase Server Timeout between 5 to 10 Sec and remove ISE2 for the time being and then add it later and check the result.
I would also advise you to disable aggressive failover feature on WLC which would mark the Radius server is down immediately after one failed response. Disabling this feature would force the WLC to only fails over to the next Radius Server if there are three consecutive clients that fail to receive a response from the RADIUS server.
These are the WLC Recommendation timer from Cisco Live:
05-03-2017 05:36 PM
Hi Mohamed,
Thank you for your response. :)
We tried to changed the server timeout to 10 sec and remove the secondary ISE, after that we could not see the (*) sign on either ISE in WLC.
Do you how can we back track why secondary ISE become active even the primary ISE is still up?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide