cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

877
Views
0
Helpful
8
Replies
Ricardo T Duarte
Beginner

Trustsec + ISE Down?

Hi there,

 

What happens to a TrustSec environment when all ISE servers are down?

Will traffic still be forwarded? When will it stop working?

 

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.

Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.

View solution in original post

It can always push new configuration on demand. That has nothing to do with timers/cache.

View solution in original post

8 REPLIES 8
hslai
Cisco Employee

The environment data is cached on the NAD so the enforcement should work still.

Hi Hslay,

 

As far as I remember that cache has a lifetime of typically 24 hours.

Will traffic stop flowing after the cache expires and ISE is down?

 

Thanks

If you have a whole ise outage aren’t there other things to worry about? AAA not working? They would go into critical auth on wired and wireless dot1x wouldn’t work.

I'm not using ISE for AAA. Another software is classifying the devices and sending the tag info to the NADs.

I'm just using ISE to manage the TrustSec infrastructure (SGACLs, Matrix, etc), and only have one ISE (Express Bundle) per site.

 

Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.

Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.

Thanks for your answer.

 

If I have a huge cache lifetime, can ISE push new configurations on demand, or will I have to wait for the cache to expire and/or do a manual download at the switch?

It can always push new configuration on demand. That has nothing to do with timers/cache.

Is that possible to keep the downloaded SGACL and TrsutSec environment data after ISE down or the policy expire?

 

Because I still want to keep the SGACL enforcement function working, even though there is no new user can be authentication, after the Cisco ISE down or the policy expires.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube