Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
0
Helpful
7
Replies

switch to the secondary PAN node

Go to solution
nastiakhon
Level 1
Level 1

‎01-21-2026 06:33 AM

Hello.
Is there any way to automatically switch to the secondary PAN node if the primary PAN node crashes? This usually has to be done manually.
Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to nastiakhon

‎01-21-2026 06:59 AM

@nastiakhon well you'd need to design your ISE cluster accordingly, with at least 3 ISE nodes for auto failover functionality, with the non-admin node acting as the health check node. The health check node can also function as a non-admin role, i.e., PSN.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/admin_guide/b_ise_admin_3_4/b_ISE_admin_deployment.html#ID59

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-21-2026 06:36 AM

Depends on the deployment; if you configured PAN AutoFailover, then yes. if not then manually promote required.

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#toc-hId-118574828

OLD document still good for understanding :

https://www.ciscopress.com/articles/article.asp?p=2812072

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-21-2026 06:38 AM

@nastiakhon you can automatically failover, but it does require there be at least one other non-admin node in the deployment (in addition to the Primary PAN and Secondary PAN). If you only have a small 2 node ISE deployment, then you cannot automatically failover.

0 Helpful

Go to solution
nastiakhon
Level 1
Level 1

‎01-21-2026 06:49 AM

We don't have a deployed ISE yet, we're only in the planning stage, so we'd like to immediately create a scheme that will automatically switch over if the main node becomes unavailable.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to nastiakhon

‎01-21-2026 06:59 AM

@nastiakhon well you'd need to design your ISE cluster accordingly, with at least 3 ISE nodes for auto failover functionality, with the non-admin node acting as the health check node. The health check node can also function as a non-admin role, i.e., PSN.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-4/admin_guide/b_ise_admin_3_4/b_ISE_admin_deployment.html#ID59

 

0 Helpful

Go to solution
nastiakhon
Level 1
Level 1

‎01-21-2026 07:21 AM

So, if we have two data centers, we'll set up a separate PAN1 node and a separate PSN1 node in the first data center. We'll do the same in the second data center, setting up a separate PAN2 node and a separate PSN2 node. We'll select PAN1 as the primary node in data center 1, and specify that its health check node will be PSN1. We'll do the same for the second data center.
So, we'll have a total of 4 nodes.
Am I correct in understanding that with this setup, if PAN1 fails, PAN2 will automatically become the primary node, and the workflow won't be interrupted?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to nastiakhon

‎01-21-2026 07:38 AM

@nastiakhon some features are unavailable when the Primary PAN is unavailable. So during the brief period during PAN switchover is occurring there maybe some features unavailable. Refer to Table 10 for a full list- https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_deployment.html#ID59

Health Check design:-

RobIngram_0-1769009624141.png

 

0 Helpful

Go to solution
nastiakhon
Level 1
Level 1

‎01-21-2026 07:41 AM

I understand everything. Thank you very much for your help!

0 Helpful
Customers Also Viewed These Support Documents