Security

Hello,

I am working with a client on solutions to scale their ClearPass architecture. Part of my recommendation was to implement two new 25K appliances to act as Publisher and Standby Publisher.

Having never used the Standby Publisher feature, I was wondering about how some failover scenarios play out. Documentation and forum searches haven't helped me understand a whole lot, so hopefully someone knowledgeable can help me understand.

1. Assume a routing outage between our Publisher and Standby Publisher, but where all subscribers can still reach both Publisher and Standby (only Publisher and Standby can't reach each other). This would cause a false failover. What is the impact? How does one recover?
2. What data is lost during failure scenarios? i.e. Publisher down and Standby not yet automatically promoted, or in a false failover? What can be done to minimize data loss once all reachability is restored?
3. Are there any advantages to only relying on manual promotion to Publisher? Or perhaps any situation where manual promotion would be preferred? If manual promotion was used, what is the process to used to promote the original Publisher once it becomes available again without losing any data?
4. Any failure scenarios and mitigation/recovery strategies I haven't thought of, please also share.

Thanks,

Tim

based on my limited experience i would say data loss isn't that big an issue. you might choose to drop the logging when rejoining, but the rest  stays around fine. the scenario would be when you get the original publisher back you make it stand alone and then join the cluster.

recovery is (at least in my experience) often dropping one and rejoining it later as subcriber.

i see this as an option to make sure you get an clearpass you can do configuration on if the primary publisher fails for some reason. but as you mention doing that then manually is also an option.

Tim,

My relies......

1. Assume a routing outage between our Publisher and Standby Publisher, but where all subscribers can still reach both Publisher and Standby (only Publisher and Standby can't reach each other). This would cause a false failover. What is the impact? How does one recover?
   [djj] - Yes, if you had PUB-standby configured then standby will take over... all SUB's will move to the new PUB and TRUST him. Recovery will significantly improve in 6.5, when we add a 'SINGLE CLICK RESTORE'....NICE..!!!
   
   
2. What data is lost during failure scenarios? i.e. Publisher down and Standby not yet automatically promoted, or in a false failover? What can be done to minimize data loss once all reachability is restored?
   [djj] - what is lost if what was in flight between old-active-PUB and standby-PUB when data-path failed between these nodes.
   
   
3. Are there any advantages to only relying on manual promotion to Publisher? Or perhaps any situation where manual promotion would be preferred? If manual promotion was used, what is the process to used to promote the original Publisher once it becomes available again without losing any data?
   [djj] - Manual v Auto is purely a customer speciifc question. Restoring the old-PUB is currenty not optimized, as I said in 6.5 we will have the single-click-restore.
   
   
4. Any failure scenarios and mitigation/recovery strategies I haven't thought of, please also share.

Take a look at my Cluster TechNote.... lot of content in ther around this subject.

HTH

Danny,

Has the single click Publisher restore feature been implemented yet?  If so do you have a link to how is works?

Thanks,

Jeff