
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2018 02:19 AM
Team,
Can you please let me know in a distributed environment, if a PSN looses connectivity to both the PAN's does it still does authentication/posturing?...
Thanks
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2018 02:31 AM
Hi,
If connection between PAN & PSN breaks, PSN will be having all the old configuration,it won't affect authentication/posturing, Only the new changes in PAN will not get replicated on the PSN.
Please check this When Primary PAN is down
-Aravind

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2018 07:21 AM - edited 11-19-2018 07:37 AM
If you enable health check on PSN to enable auto Failover, it continuously monitors the of PAN node. ISE will generate alarm if the PAN node is down. it does not leave after some time.
once the PAN node is back up, it regains the connectivity.
Thanks,
Nidhi

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2018 02:34 AM
Please see my response inline-
a) According to the discussion here PSN can now work as usual but might not
work in the case of any new policy changes and any new dictionary updates.
right?
NP - Yes thats correct
b) Regarding Licensing the licenses are downloaded to PAN and then
distributed to PSN right?
If b) is right then how does PAN know that the licensing is violated since
now tracking of endpoints are not accurate (since one site is isolated and
does not have the count of endpoints from that site)
NP-PAN queries the session directory from MnT for showing any kind of license violation. If the PAN is not available, there will be no alerts for license violation. Also, Since MnT is available, the operational data will be available in MnT for all the sessions in PSN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2018 02:31 AM
Hi,
If connection between PAN & PSN breaks, PSN will be having all the old configuration,it won't affect authentication/posturing, Only the new changes in PAN will not get replicated on the PSN.
Please check this When Primary PAN is down
-Aravind
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2018 08:52 AM
without any PAN.. (i thought it was when primary is down and secondary is
available..)
Anyways assuming that all is fine even when Primary or Secondary PAN is not
available.. say when an authentication happens for a existing user is it
not that PSN should update the PAN and in this case PAN is not available so
will it just try to contact the PAN and leave it after some timer?
Also does the PSN or PAN send some kind of heart beats and if so when this
the timer expires will it send logs/alarms on the same?
Thanks in advance

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2018 07:21 AM - edited 11-19-2018 07:37 AM
If you enable health check on PSN to enable auto Failover, it continuously monitors the of PAN node. ISE will generate alarm if the PAN node is down. it does not leave after some time.
once the PAN node is back up, it regains the connectivity.
Thanks,
Nidhi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2018 07:47 AM
(P and S in hub site) and PSN is in a remote site.. and for some reasons
the remote site is isolated
so now
a) According to the discussion here PSN can now work as usual but might not
work in the case of any new policy changes and any new dictionary updates.
right?
b) Regarding Licensing the licenses are downloaded to PAN and then
distributed to PSN right?
If b) is right then how does PAN know that the licensing is violated since
now tracking of endpoints are not accurate (since one site is isolated and
does not have the count of endpoints from that site)
So i can understand that we can do the automatic HA once we have the health
check node.. but my question what if a PSN looses the PAN communication
(both primary and secondary)...
Thanks in Advance

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2018 02:34 AM
Please see my response inline-
a) According to the discussion here PSN can now work as usual but might not
work in the case of any new policy changes and any new dictionary updates.
right?
NP - Yes thats correct
b) Regarding Licensing the licenses are downloaded to PAN and then
distributed to PSN right?
If b) is right then how does PAN know that the licensing is violated since
now tracking of endpoints are not accurate (since one site is isolated and
does not have the count of endpoints from that site)
NP-PAN queries the session directory from MnT for showing any kind of license violation. If the PAN is not available, there will be no alerts for license violation. Also, Since MnT is available, the operational data will be available in MnT for all the sessions in PSN.
