Two nodes ISE HA recovery without service disruption

kmasuyam · ‎05-14-2019

Hi experts,

Our customer adopted SDA, and use redundant two ISE servers which version is 2.4 patch 6.
When failure happens on PRIMARY ISE, customer will operate the following procedure without promoting SECONDARY ISE to PRIMAY.

Now, I describe HA ISE servers as ISE-1 and ISE-2.
To assume configure backup has already taken.

Failure happens
configure tentative IP address to new ISE server (ISE-3)
setup ISE-3 initially (the same configuration as ISE-1 except IP address)
apply patch file to ISE-3
restore to ISE-3 without ADE-OS
change ISE-3’s role to PRIMARY
delete the info of ISE-2 on ISE-3 GUI
change ISE-3’s role to STAND ALONE
configure true IP address to ISE-3
change ISE-3’s role to PRIMARY
change ISE-2’s role to PRIMARY
deregister ISE-3 on ISE-2 GUI
change ISE-2’s role to STAND ALONE
register ISE-2 as SECONDARY on ISE-3 GUI

Partner tried the above procedure, and confirmed there are no problems with this step.
(such as pxGrid between DNAC and ISE, authentication, SXP with outside of Fabric, and traffic from endpoints)

We understand the regular step is to promote SECONDARY ISE to PRIMARY,
but our customer request the above procedures because of company regulations.

Do you have any concerns about this step?
Cisco team suspect that step 6. and 8. may not be necessary.

hslai · ‎05-14-2019

Assuming ISE-1 is the original primary and ISE-3 is the replacement primary..

I am not clear why ISE-3 configured with a temporary IP address instead of the same IP as ISE-1, unless the customers want to play safe. IIRC if an ISE CFG backup from a deployment is restored to a standalone ISE node with the same FQDN, the restored host will change as the primary. Because of (3) ISE-3 has a different IP address, we can't change the IP address unless standalone:

myISE26/admin(config-GigabitEthernet)# ip address 10.1.100.27 255.255.255.0
% Warning: GigabitEthernet0 IP address change disallowed as this node is part of a deployment. Make it a standalone to change the IP.

kmasuyam · ‎05-14-2019

Thank you for your reply. The reason why ISE-3 is configured with temporary IP address is because customer is concerned about authentication failure. We understand it takes more long time to configure temporary IP address. However, if ISE-3 is configured with the same IP address as ISE-1, RADIUS traffic between NAD and ISE-3 may occur (sometimes the authentication may fail) before config backup is completed. Customer is concerned about this point. Do you have any concerns except IP address?

hslai · ‎05-15-2019

No. Please do take regular backups and test restoring them regularly.

kmasuyam · ‎05-15-2019

Thanks. What is the reason for test of restoring backups regularly?

hslai · ‎05-17-2019

To ensure the backups are good.

kmasuyam · ‎05-19-2019

I appreciate your support.

Finally, we understand customers can get the TAC support in this env?