Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2113
Views
5
Helpful
2
Replies

pxGrid redundancy issue with FMC and ISE

Go to solution
Chess Norris
Level 4
Level 4

‎11-12-2018 05:12 AM - edited ‎02-21-2020 08:27 AM

Hi,

 

I am testing Rapid Threat Containment with Firepower and ISE and noticed a strange issue with the pxGrid service used for communication with ISE. We are using multiple ISE nodes in a distributed environment and the pxGrid service is running on two of the ISE nodes. In FMC I have configured primary and secondary ISE nodes under Integration - Identity Sources.

When using the test function in FMC, I can see that the communication to the primary node is successful but the test is failing to the secondary node. However, I read somewhere in the pxGrid guide that this was an expected behavior so I didn't gave it much thoughts.

To test the redundancy I shut down the primary ISE node and started the test again. This time both ISE nodes where failing and it took about 3 minutes before the secondary node started to answer and the test was successful. The same behavior happened when I started the primary pxGrid node and the test failed even though the secondary node was still up.

Is this an expected behavior or is something wrong with our setup?

 

Thanks

/Jorgen

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
edgar.reinke
Level 1
Level 1

‎11-13-2018 02:09 PM

It should be an expected behavior (Administration Guide 2.3, Chapter : Set Up Cisco ISE in a Distributed Environment):

In a high availability deployment, when the primary pxGrid node goes down, it might take around 3 to 5 minutes to switchover to the secondary pxGrid node. It is recommended that the client waits for the switchover to complete, before clearing the cache data in case of primary pxGrid node failure.

 

Edgar

View solution in original post

2 Replies 2

Go to solution
edgar.reinke
Level 1
Level 1

‎11-13-2018 02:09 PM

It should be an expected behavior (Administration Guide 2.3, Chapter : Set Up Cisco ISE in a Distributed Environment):

In a high availability deployment, when the primary pxGrid node goes down, it might take around 3 to 5 minutes to switchover to the secondary pxGrid node. It is recommended that the client waits for the switchover to complete, before clearing the cache data in case of primary pxGrid node failure.

 

Edgar

Go to solution
Chess Norris
Level 4
Level 4
In response to edgar.reinke

‎11-14-2018 12:09 AM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card