Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1116
Views
1
Helpful
4
Replies

Automatic Admin Node Failover for more small deployments

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎10-21-2016 12:28 AM

Hi folks,

my customer is planning to deploy ISE in a small deployment: One node as PAN/MnT/PSN and a second node also with Admin(secondary)/MnT/PSN.

Now he would like to deploy a 3rd node to act as a health-check node to support automatic failover for Admin node.

According to the scaling guidelines, it is not supported to register a 3rd node to a 2-node deployment where the two nodes have all three  personas. Is there an exeption for the case of the health check node? So would the following deployment be allowed/supported:

ISE -instance 1: PAN/MnT/PSN

ISE-instance 2: (s)AN/MnT/PSN

ISE-instance 3: PSN, health-check (PSN will not be used as such, no RADIUS-requests will be sent to that node)

Thanks in advance.

Roland

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-21-2016 08:32 AM

No this design hasn't been tested, and thus not supported.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-21-2016 08:32 AM

No this design hasn't been tested, and thus not supported.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10

‎10-24-2016 08:57 AM

Hosuk is correct.  The basic requirement that you have an "objective observer" to make the failover decision.  The Primary PAN cannot monitor itself and concern over Secondary making that decision is that if break link between Primary and Secondary, then increase potential for a split brain (Active/Active) deployment where connectivity between NADs is still possible to individual nodes.  Architecture currently does not support an "auto-reconciliation" of config changes or data that may have been learned during Active/Active, so decision made to make sure health check node is separate.

Craig

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎10-24-2016 10:12 AM

Hi Craig,

thanks for the explanation.

I am fine to have a seperate node as health-check node, but if I follow strictly the deployment guide I have to move from a "small" deployment (with only two "productive" nodes) to a medium deployment, otherwise I am not allowed to register a seperate health-check node. This means, although two nodes would be fine scalability wise, the customer would have to deploy 4 ise instances + health node just to get automatic PAN failover.

Or do I miss something?

Roland

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to rmueller@cisco.com

‎10-24-2016 10:41 AM

Correct.  Unfortunately we do not QA test a scenario where we have a separate check node with no other function.  Although no testing to support, I would expect minimal impact if no User Services (RADIUS / Profiling) or optionally pxGrid services, however, there is still an impact on the PPAN node to maintain health and replication of this additional node. It may still be minimal, especially if node has reasonable connectivity (minimal WAN latency/bw for replication), the actual impact is not measured.  Consequently, you could configure it and it may present minimal risk, but any issues related to deployment stability or scaling will likely bring this configuration into question and could require de-registration for continued TAC support.  

Hope that clarifies.

Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents