Security

Reply
Contributor II
Posts: 43
Registered: ‎07-01-2013

Standby publisher failover scenarios and recovery

[ Edited ]

Hello,

 

I am working with a client on solutions to scale their ClearPass architecture. Part of my recommendation was to implement two new 25K appliances to act as Publisher and Standby Publisher.

 

Having never used the Standby Publisher feature, I was wondering about how some failover scenarios play out. Documentation and forum searches haven't helped me understand a whole lot, so hopefully someone knowledgeable can help me understand.

 

  1. Assume a routing outage between our Publisher and Standby Publisher, but where all subscribers can still reach both Publisher and Standby (only Publisher and Standby can't reach each other). This would cause a false failover. What is the impact? How does one recover?
  2. What data is lost during failure scenarios? i.e. Publisher down and Standby not yet automatically promoted, or in a false failover? What can be done to minimize data loss once all reachability is restored?
  3. Are there any advantages to only relying on manual promotion to Publisher? Or perhaps any situation where manual promotion would be preferred? If manual promotion was used, what is the process to used to promote the original Publisher once it becomes available again without losing any data?
  4. Any failure scenarios and mitigation/recovery strategies I haven't thought of, please also share.

 

Thanks,

Tim

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA, Aruba Partner Ambassador
MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Standby publisher failover scenarios and recovery

based on my limited experience i would say data loss isn't that big an issue. you might choose to drop the logging when rejoining, but the rest  stays around fine. the scenario would be when you get the original publisher back you make it stand alone and then join the cluster.

 

recovery is (at least in my experience) often dropping one and rejoining it later as subcriber.

 

i see this as an option to make sure you get an clearpass you can do configuration on if the primary publisher fails for some reason. but as you mention doing that then manually is also an option.

Moderator
Posts: 458
Registered: ‎11-09-2012

Re: Standby publisher failover scenarios and recovery

Tim,

 

My relies......

 

  1. Assume a routing outage between our Publisher and Standby Publisher, but where all subscribers can still reach both Publisher and Standby (only Publisher and Standby can't reach each other). This would cause a false failover. What is the impact? How does one recover?
    [djj] - Yes, if you had PUB-standby configured then standby will take over... all SUB's will move to the new PUB and TRUST him. Recovery will significantly improve in 6.5, when we add a 'SINGLE CLICK RESTORE'....NICE..!!!

  2. What data is lost during failure scenarios? i.e. Publisher down and Standby not yet automatically promoted, or in a false failover? What can be done to minimize data loss once all reachability is restored?
    [djj] - what is lost if what was in flight between old-active-PUB and standby-PUB when data-path failed between these nodes.

  3. Are there any advantages to only relying on manual promotion to Publisher? Or perhaps any situation where manual promotion would be preferred? If manual promotion was used, what is the process to used to promote the original Publisher once it becomes available again without losing any data?
    [djj] - Manual v Auto is purely a customer speciifc question. Restoring the old-PUB is currenty not optimized, as I said in 6.5 we will have the single-click-restore.

  4. Any failure scenarios and mitigation/recovery strategies I haven't thought of, please also share.

Take a look at my Cluster TechNote.... lot of content in ther around this subject.

 

HTH


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: