Solved: Re: Trustsec + ISE Down?

Ricardo T Duarte · ‎11-02-2018

Hi there,

What happens to a TrustSec environment when all ISE servers are down?

Will traffic still be forwarded? When will it stop working?

Thanks.

kthumula · ‎11-02-2018

Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.

Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.

View solution in original post

kthumula · ‎11-02-2018

It can always push new configuration on demand. That has nothing to do with timers/cache.

View solution in original post

hslai · ‎11-02-2018

The environment data is cached on the NAD so the enforcement should work still.

Ricardo T Duarte · ‎11-02-2018

Hi Hslay,

As far as I remember that cache has a lifetime of typically 24 hours.

Will traffic stop flowing after the cache expires and ISE is down?

Thanks

Jason Kunst · ‎11-02-2018

If you have a whole ise outage aren’t there other things to worry about? AAA not working? They would go into critical auth on wired and wireless dot1x wouldn’t work.

Ricardo T Duarte · ‎11-02-2018

I'm not using ISE for AAA. Another software is classifying the devices and sending the tag info to the NADs.

I'm just using ISE to manage the TrustSec infrastructure (SGACLs, Matrix, etc), and only have one ISE (Express Bundle) per site.

kthumula · ‎11-02-2018

Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.

Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.

Ricardo T Duarte · ‎11-02-2018

Thanks for your answer.

If I have a huge cache lifetime, can ISE push new configurations on demand, or will I have to wait for the cache to expire and/or do a manual download at the switch?

kthumula · ‎11-02-2018

It can always push new configuration on demand. That has nothing to do with timers/cache.

JackHsu · ‎03-18-2019

Is that possible to keep the downloaded SGACL and TrsutSec environment data after ISE down or the policy expire?

Because I still want to keep the SGACL enforcement function working, even though there is no new user can be authentication, after the Cisco ISE down or the policy expires.

Trustsec + ISE Down?

ISE Webinars

CiscoISE on YouTube