AnsweredAssumed Answered

What is the impact if Primary Instance is down?

Question asked by Nishanth Shaga on May 2, 2019
Latest reply on May 2, 2019 by Erica Chalfin

Like • Show 0 Likes0
Comment • 3

Due to maintenance activity on VMWare, we need to shutdown our primary instance for 4 hrs. I know we can't perform administrative activities during this time as primary is down and we are fine to buy this time with a change ticket. Need help on understanding below during this activity.

We have 4 replicas in our deployment. Replicas servers will be active and complete authentications for users?
What will be the status of replication in replica server?
Will this have any impact on Authentication Agents, Radius clients or any application protected using RSA AM?
Post maintenance activity, if we start the primary instance, does replication will start automatically and function normally?

Erica Chalfin

May 2, 2019 9:29 AM

Correct Answer

Nishanth Shaga,

We have 4 replicas in our deployment. Replicas servers will be active and complete authentications for users?

While your primary is down, your replica servers will pick up the authentication requests from your end users, that is the whole point of having multiple authentication servers

What will be the status of replication in replica server?

The primary will show as Instance Offline. Replication may show as out of synch while the primary is down but that is to be expected since the replica(s) cannot communicate with the primary. Once the primary is back online, replication status should return to normal.

Will this have any impact on Authentication Agents, Radius clients or any application protected using RSA AM?

It should not. Any authentication requests from your agents, RADIUS clients and other apps protected by Authentication Manager will work without impact. Before the primary is taken offline, you may want to check the authentication activity logs and confirm that the agents, clients, etc. have authenticated not only to the primary but also to the replica server(s) to verify the requests will go to the other servers.

Post maintenance activity, if we start the primary instance, does replication will start automatically and function normally?

Once you restart the primary, it will communicate with your replicas. The replica servers will send their authentication logs and other information to the primary. The primary will then share that information amongst all replicas so they are all aware of authentications that happened, PIN changes, etc.

Regards,

Erica

See the reply in context

No one else had this question

Outcomes

Erica Chalfin

May 2, 2019 9:29 AM

Nishanth Shaga,

We have 4 replicas in our deployment. Replicas servers will be active and complete authentications for users?

While your primary is down, your replica servers will pick up the authentication requests from your end users, that is the whole point of having multiple authentication servers

What will be the status of replication in replica server?

Will this have any impact on Authentication Agents, Radius clients or any application protected using RSA AM?

Post maintenance activity, if we start the primary instance, does replication will start automatically and function normally?

Regards,

Erica

2 people found this helpful

Actions

Jay Guillette

@ Erica Chalfin on May 2, 2019 2:04 PM

To kind of call out the gotchas that are in the details of what Erica answered;

1. if your replicas were not in synch before the primary went offline, they might give different answers to new users they did not know about, but that is why you check replication status before the 4 hour Primary maintenance downtime

2. the 'other' info Erica alluded to in her last answer is basically PIN changes. If a user changed their PIN on a replica during that 4 hour window, other replicas would not know about this new PIN until the primary came back on line. In my experience this is usually a very small risk, but if you have 10s of thousands of users who authenticated several times during a 4 hour period, someone might fail with Bad PIN but good tokencode if their other authentication went to a different replica than the one they entered their new PIN on. Actually they might get prompted for new PIN a second time. Rare but something to be aware of in very large and dynamic deployments.

1 person found this helpful

Actions

Erica Chalfin

@ Jay Guillette on May 2, 2019 7:38 PM

Jay Guillette,

Thanks for the backup!

regards,

Erica

Actions

3 Replies

Erica Chalfin May 2, 2019 9:29 AM
Unmark Correct
Correct Answer
Nishanth Shaga,
- We have 4 replicas in our deployment. Replicas servers will be active and complete authentications for users?
While your primary is down, your replica servers will pick up the authentication requests from your end users, that is the whole point of having multiple authentication servers
- What will be the status of replication in replica server?
The primary will show as Instance Offline. Replication may show as out of synch while the primary is down but that is to be expected since the replica(s) cannot communicate with the primary. Once the primary is back online, replication status should return to normal.
- Will this have any impact on Authentication Agents, Radius clients or any application protected using RSA AM?
It should not. Any authentication requests from your agents, RADIUS clients and other apps protected by Authentication Manager will work without impact. Before the primary is taken offline, you may want to check the authentication activity logs and confirm that the agents, clients, etc. have authenticated not only to the primary but also to the replica server(s) to verify the requests will go to the other servers.
- Post maintenance activity, if we start the primary instance, does replication will start automatically and function normally?
Once you restart the primary, it will communicate with your replicas. The replica servers will send their authentication logs and other information to the primary. The primary will then share that information amongst all replicas so they are all aware of authentications that happened, PIN changes, etc.

Regards,
Erica
2 people found this helpful
Like • Show 3 Likes3
Actions
- Jay Guillette @ Erica Chalfin on May 2, 2019 2:04 PM
  Mark Correct
  Correct Answer
  To kind of call out the gotchas that are in the details of what Erica answered;
  1. if your replicas were not in synch before the primary went offline, they might give different answers to new users they did not know about, but that is why you check replication status before the 4 hour Primary maintenance downtime
  2. the 'other' info Erica alluded to in her last answer is basically PIN changes. If a user changed their PIN on a replica during that 4 hour window, other replicas would not know about this new PIN until the primary came back on line. In my experience this is usually a very small risk, but if you have 10s of thousands of users who authenticated several times during a 4 hour period, someone might fail with Bad PIN but good tokencode if their other authentication went to a different replica than the one they entered their new PIN on. Actually they might get prompted for new PIN a second time. Rare but something to be aware of in very large and dynamic deployments.
  1 person found this helpful
  Like • Show 1 Like1
  Actions
  - Erica Chalfin @ Jay Guillette on May 2, 2019 7:38 PM
    Mark Correct
    Correct Answer
    Jay Guillette,
    
    Thanks for the backup!
    
    regards,
    Erica
    Like • Show 0 Likes0
    Actions

What is the impact if Primary Instance is down?

Outcomes

Related Content

Recommended Content