Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1985
Views
10
Helpful
5
Replies

When PSN looses connection to both PAN

Go to solution
Jayashanker warrier
Level 1
Level 1

‎11-16-2018 02:19 AM

Team, 

Can you please let me know in a distributed environment, if a PSN looses connectivity to both the PAN's does it still does authentication/posturing?...

 

Thanks

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎11-16-2018 02:31 AM

Hi,

If connection between PAN & PSN breaks, PSN will be having all the old configuration,it won't affect authentication/posturing, Only the new changes in PAN will not get replicated on the PSN.

 

Please check this When Primary PAN is down

 

-Aravind

-Aravind

View solution in original post

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Jayashanker warrier

‎11-19-2018 07:21 AM - edited ‎11-19-2018 07:37 AM

 

If you enable health check on PSN to enable auto Failover, it continuously monitors the  of PAN node. ISE will generate alarm if the PAN node is down. it does not leave after some time. 

once the PAN node is back up, it regains the connectivity. 

 

Thanks,

Nidhi

 

View solution in original post

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Jayashanker warrier

‎11-21-2018 02:34 AM

Please see my response inline- 

 

a) According to the discussion here PSN can now work as usual but might not
work in the case of any new policy changes and any new dictionary updates.
right?

NP - Yes thats correct 
b) Regarding Licensing the licenses are downloaded to PAN and then
distributed to PSN right?
If b) is right then how does PAN know that the licensing is violated since
now tracking of endpoints are not accurate (since one site is isolated and
does not have the count of endpoints from that site)

NP-PAN queries the session directory from MnT for showing any kind of license violation. If the PAN is not available, there will be no alerts for license violation. Also, Since MnT is available, the operational data will be available in MnT for all the sessions in PSN. 

View solution in original post

5 Replies 5

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎11-16-2018 02:31 AM

Hi,

If connection between PAN & PSN breaks, PSN will be having all the old configuration,it won't affect authentication/posturing, Only the new changes in PAN will not get replicated on the PSN.

 

Please check this When Primary PAN is down

 

-Aravind

-Aravind

Go to solution
Jayashanker warrier
Level 1
Level 1
In response to Aravind Ravichandran

‎11-16-2018 08:52 AM

Thanks Aravind.. I read that document but was not clear whether it is
without any PAN.. (i thought it was when primary is down and secondary is
available..)

Anyways assuming that all is fine even when Primary or Secondary PAN is not
available.. say when an authentication happens for a existing user is it
not that PSN should update the PAN and in this case PAN is not available so
will it just try to contact the PAN and leave it after some timer?

Also does the PSN or PAN send some kind of heart beats and if so when this
the timer expires will it send logs/alarms on the same?

Thanks in advance

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Jayashanker warrier

‎11-19-2018 07:21 AM - edited ‎11-19-2018 07:37 AM

 

If you enable health check on PSN to enable auto Failover, it continuously monitors the  of PAN node. ISE will generate alarm if the PAN node is down. it does not leave after some time. 

once the PAN node is back up, it regains the connectivity. 

 

Thanks,

Nidhi

 

0 Helpful

Go to solution
Jayashanker warrier
Level 1
Level 1
In response to Nidhi

‎11-19-2018 07:47 AM

Thanks but my question is assuming that i have a distributed system so PAN
(P and S in hub site) and PSN is in a remote site.. and for some reasons
the remote site is isolated
so now
a) According to the discussion here PSN can now work as usual but might not
work in the case of any new policy changes and any new dictionary updates.
right?
b) Regarding Licensing the licenses are downloaded to PAN and then
distributed to PSN right?

If b) is right then how does PAN know that the licensing is violated since
now tracking of endpoints are not accurate (since one site is isolated and
does not have the count of endpoints from that site)

So i can understand that we can do the automatic HA once we have the health
check node.. but my question what if a PSN looses the PAN communication
(both primary and secondary)...

Thanks in Advance
0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Jayashanker warrier

‎11-21-2018 02:34 AM

Please see my response inline- 

 

a) According to the discussion here PSN can now work as usual but might not
work in the case of any new policy changes and any new dictionary updates.
right?

NP - Yes thats correct 
b) Regarding Licensing the licenses are downloaded to PAN and then
distributed to PSN right?
If b) is right then how does PAN know that the licensing is violated since
now tracking of endpoints are not accurate (since one site is isolated and
does not have the count of endpoints from that site)

NP-PAN queries the session directory from MnT for showing any kind of license violation. If the PAN is not available, there will be no alerts for license violation. Also, Since MnT is available, the operational data will be available in MnT for all the sessions in PSN. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents