Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
5
Helpful
2
Replies

Secondary Role PSN as active and Primary Role PSN as standby

Mady
Level 4
Level 4

‎05-03-2017 01:27 AM - edited ‎03-11-2019 12:41 AM

Hi, 

We have two PSN ISE and we specified on WLC to use ISE1 as server 1 Authentication server. We removed the ISE2 because of some issue but after we added  it again all authentication transferred to ISE2. On WLC, the fallback mode is off.

When I issued show tech on ISE, I saw below output.

Displaying ISE deployment ...
*****************************************
Node Config Details

NAME PERSONA ROLE ACTIVE REPLICATION
------------------- --------------- ---------- ---------- ---------------
ISE1 PAN,MNT,PSN PRIMARY STANDBY Not Applicable
ISE2 PAN,MNT,PSN SECONDARY ACTIVE SYNC COMPLETED

Is there a way to force the ISE1 to become active?

Thanks!

Labels:
0 Helpful
2 Replies 2

Mohamed Abd Elnaser Mohamed Mohamed Ali
Level 1
Level 1

‎05-03-2017 03:11 AM

Hi Mady

It could be during the time of the SYNC, WLC marked ISE1 as down because of the default Radius Server Timeout of 2 Sec which could be fairly aggressive if the ISE1 is highly overloaded with Authentications requests plus Sync operation to the secondary role.

I would recommend to Increase Server Timeout between  5 to 10 Sec  and remove ISE2 for the time being and then add it later and check the result.

I would also advise you to disable aggressive failover feature on WLC which would mark the Radius server is down immediately after one failed response. Disabling this feature would force the WLC to only fails over to the next Radius Server if there are three consecutive clients that fail to receive a response from the RADIUS server.

These are the WLC Recommendation timer from Cisco Live:

  • Idle timeout: Leave global at 300 seconds, Open networks 300 seconds, Dot1x networks 3600s can be used
     Client Exclusions: Enable them and set for 180 seconds
  •  Session Timeout: Set it per security policy preferably 7200+ seconds
  •  Aggressive Failover: Disabling reduces load on ISE but can increase failover times
  •  Configure Fast Secure Roaming to reduce RADIUS load during roam
  •  Advanced EAP Timers:
    •  config advanced eap identity-request-timeout 3
    •  config advanced eap identity-request-retries 10
    •  config advanced eap request-timeout 3
    •  config advanced eap request-retries 10

Mady
Level 4
Level 4
In response to Mohamed Abd Elnaser Mohamed Mohamed Ali

‎05-03-2017 05:36 PM

Hi Mohamed,

Thank you for your response. :) 

We tried to changed the server timeout to 10 sec and remove the secondary ISE, after that we could not see the (*) sign on either ISE in WLC.

Do you how can we back track why secondary ISE become active even the primary ISE is still up?

Thanks!

0 Helpful
Customers Also Viewed These Support Documents