Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
1
Replies

ISE PSN Reboot/Loss Expectations

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎05-26-2017 12:23 PM

Is there a document that defines what is lost when a PSN is rebooted or lost?  I've read the HA part that describes the benefits of a Node Group so a client will not be stuck in an intermediate state when being redirected if a PSN fails.  Are there any other real time features/sessions lost?  If a customer needed to do maintenance on a PSN and wanted to take the PSN off of the NAD AAA configuration - is there a way to monitor if any client sessions are still being authenticated after it is removed? 

Second question - When a PSN reboots, the assumption is that it boots up with its internal database copy.  Is that correct?  Will it use its local db copy and then request any changes?

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-28-2017 05:05 PM

BRKSEC-3699 - Designing ISE for Scale and High Availability (2017 Melbourne) has info on HA of various personas. If we focus on RADIUS AAA, the ones impacted would be those relying on the session contexts of the existing sessions. For example, CWA without using endpoint group assignments and endpoint posture. For CWA sessions, the endpoints will go back to the ISE webauth portal(s), in case the original PSN authenticating the sessions are taken offline. For ISE posture, it could be tricky during re-authentications (see CSCuw93919).


For monitoring, we could take a look at the active session reports before taking the PSN offline and evaluate its impacts.


After the PSN rebooted, it would use its configurations residing in the local copy of policies and info in the database, and then the replication should resume unless the node taken offline for a long period of time or other factors affecting the replication.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-28-2017 05:05 PM

BRKSEC-3699 - Designing ISE for Scale and High Availability (2017 Melbourne) has info on HA of various personas. If we focus on RADIUS AAA, the ones impacted would be those relying on the session contexts of the existing sessions. For example, CWA without using endpoint group assignments and endpoint posture. For CWA sessions, the endpoints will go back to the ISE webauth portal(s), in case the original PSN authenticating the sessions are taken offline. For ISE posture, it could be tricky during re-authentications (see CSCuw93919).


For monitoring, we could take a look at the active session reports before taking the PSN offline and evaluate its impacts.


After the PSN rebooted, it would use its configurations residing in the local copy of policies and info in the database, and then the replication should resume unless the node taken offline for a long period of time or other factors affecting the replication.

0 Helpful
Customers Also Viewed These Support Documents