cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2092
Views
0
Helpful
5
Replies

Promote Cisco ISE Secondary Admin node to primary Admin Node

Hi,

 

I am planning on promoting Cisco ISE 2.3 Secondary admin node to primary, it is an 3495 appliance, my question is do i have to do a manual sync up before i promote it and my radius traffic which is currently being served by 4 PSN's will that be disrupted when my PAN restarts?

 

Please Advise.

Thanks

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Re: Promote Cisco ISE Secondary Admin node to primary Admin Node

Just make sure that the status of all your nodes is healthy and online, there is no need to do manual sync up.

In regards to the RADIUS auths on PSNs , they will not be disrupted, you just loose the ability to make changes and administer the deployment while the secondary admin node is being promoted to primary.

View solution in original post

RJI Advisor
Advisor

Re: Promote Cisco ISE Secondary Admin node to primary Admin Node

You should only need to manually sync if the nodes have a warning telling you they are out of sync.

When you perform the PAN promotion, the services on both nodes will restart at somepoint. Starting/Restarting the services in ISE is generally slow. So if you are running services such as guest, byod or anything that writes to the database you won't have access whilst for a period. If all you are running is basic 802.1x RADIUS auth, as agrissimanis said should not be disrupted.

View solution in original post

5 REPLIES 5
Highlighted
Beginner

Re: Promote Cisco ISE Secondary Admin node to primary Admin Node

Just make sure that the status of all your nodes is healthy and online, there is no need to do manual sync up.

In regards to the RADIUS auths on PSNs , they will not be disrupted, you just loose the ability to make changes and administer the deployment while the secondary admin node is being promoted to primary.

View solution in original post

RJI Advisor
Advisor

Re: Promote Cisco ISE Secondary Admin node to primary Admin Node

Hi,

The Primary PAN and Secondary PAN should be in sync all the time, unless an issue. No harm running a manual sync before promoting Secondary PAN to Primary.

 

During the period the old P-PAN is down and the Secondary is being promoted to be the new Primary PAN, the database would be offline for a period. Check out this section in the ISE Admin Guide to confirm what will and won't be effected when the PAN is down.

 

Depending on what services you are running on the PSNs you might find you will not impact authentications, but it might be wise to promote the PAN out of hours.

 

HTH

Re: Promote Cisco ISE Secondary Admin node to primary Admin Node

RJI,

My primary PAN is healthy nothing wrong with it and i want to promote my secondary PAN because it was primary prior to my ISE upgrade. Will both the PAN's restart after i login into the secondary pan and promote it?
if so will they restart at the same time or will they restart one after the other?

with respect to manual sync the node will restart again which will result my node to restart twice through the whole process, so i am trying to understand how important it is to do a manual sync.

Thanks
RJI Advisor
Advisor

Re: Promote Cisco ISE Secondary Admin node to primary Admin Node

You should only need to manually sync if the nodes have a warning telling you they are out of sync.

When you perform the PAN promotion, the services on both nodes will restart at somepoint. Starting/Restarting the services in ISE is generally slow. So if you are running services such as guest, byod or anything that writes to the database you won't have access whilst for a period. If all you are running is basic 802.1x RADIUS auth, as agrissimanis said should not be disrupted.

View solution in original post

Re: Promote Cisco ISE Secondary Admin node to primary Admin Node

Hi All,

 

I personally experienced directly, when you are a design in redundancy Deployment ( 2 Node HA) in which you are PAN/MON/PSN on the same node, I can confirm the Both Node restart and this cause the outage service.