In this post I will show you how to promote ISE secondary PAN to be the primary. The process is pretty easy, the only thing is that there would not be a way to do this from the primary PAN. So, to promote the secondary PAN to be the primary we need to log into the secondary PAN, and promote it manually from there.
When we promote the secondary PAN to be the primary, a whole synch between the two nodes will happen. Also, the application services on both nodes are going to be restarted.
The whole operation might take up to 15 minutes based on what I have seen on different deployments so far. During the promotion process any logged user to the management console will be kicked off. That is due to the application services restarting.
However, the dot1x and MAB authenticated users or devices should not be affected by this operation. That is because those authenticated sessions have been already served by ISE nodes. But if any of those sessions happened to time out and needs to re-authenticate while the applications did not complete the restart, the authentication might fail.
A couple of things to remember with ISE failover is that in an ISE two nodes deployment there is no possibility to run an auto failover. ISE auto failover requires at a minimum three nodes. Two will be the two PANs, and one extra node. This extra node can be a PSN as an example. The extra node will act as a health checker to the primary PAN. When the primary PAN goes down, the health checker node will send a request to the secondary PAN to promote to the primary.
However, we can also use two health checker nodes. In that case, the closest to the primary PAN will monitor the primary PAN, and the closes to the secondary PAN will monitor the secondary PAN.
The other thing to remember is that with ISE failover in general there is no preemption. Which means if you promote manually the secondary PAN to become the primary, or if you have a deployment with three or more nodes and you have the auto failover enabled, when the old primary comes back online, ISE will not re-promote it to become the primary again. The old primary PAN will keep being the new secondary PAN in the deployment.
A good CLI command you can use to keep an eye on the synch progress is show logging system ade/ADE.log tail. This command shows a whole lot of things, but I consider it pretty useful and I use it a lot. Our topology is pretty simple, we have a two nodes deployment.
Topology
Deployment
Connect to the secondary PAN through HTTPS
This wraps this post about how to promote ISE secondary PAN to be the primary.
Thank you for reading!
Thanks Aref.
Always brilliant blogs without putting your readers to sleep.
Thank you! How do you exit from the tail function?
You welcome! Pressing the ctrl+c should interrupt the tail function.