https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3772341#M486610 I don't see this a problem. I have PSN deployments between two countries<BR />with 60 msec deployments and things are running smoothly.<BR /><BR />The problem with MAR itself and its stability. I have seen MAR behaving<BR />strange which finally made me move to EAP-FASTv2 which links user and<BR />machine authentication natively.<BR /><BR />I read many cisco articles and posts about same problems of MAR which I was<BR />facing such as losing sync between user and machine auth that cause<BR />intermittent loss of connection, users logoff but don't get connection<BR />after login, etc<BR /> Thu, 03 Jan 2019 16:33:16 GMT Mohammed al Baqari 2019-01-03T16:33:16Z https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3771578#M486601 <P>&nbsp;</P> <P>&nbsp;</P> <P>I have a large deployment with 10 PSNs spread between two datacenters.&nbsp; The two datacenters are in the same city with very high speed low latency links (sub 10 ms) running between them.&nbsp;&nbsp; Functionally they can be considered the same LAN.</P> <P>&nbsp;</P> <P>Current I have the 5 PSNs in each datacenter configured into their own node group with MAR cache sync turned on.&nbsp; All RADIUS authentication is sent to DC 1 with DC 2 as backup.&nbsp;&nbsp; This means DC1's MAR cache will be accurate, but in the event of a failover to DC2 it won't have an accurate MAR cache meaning any rules using MAR cache attribute would fail.</P> <P>&nbsp;</P> <P>I am debating putting all 10 PSNs into the same node group and want to know the thoughts about doing this:</P> <P>&nbsp;</P> <OL> <LI>I know technically node groups aren't supposed to span sites, but honestly DCs in the same city with high speed/low latency interconnects is that really a problem?</LI> <LI>Is 10 nodes in a node group with MAR cache synchronization a concern?</LI> </OL> <P>Thanks.</P> Thu, 03 Jan 2019 13:50:01 GMT https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3771578#M486601 paul 2019-01-03T13:50:01Z https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3772341#M486610 I don't see this a problem. I have PSN deployments between two countries<BR />with 60 msec deployments and things are running smoothly.<BR /><BR />The problem with MAR itself and its stability. I have seen MAR behaving<BR />strange which finally made me move to EAP-FASTv2 which links user and<BR />machine authentication natively.<BR /><BR />I read many cisco articles and posts about same problems of MAR which I was<BR />facing such as losing sync between user and machine auth that cause<BR />intermittent loss of connection, users logoff but don't get connection<BR />after login, etc<BR /> Thu, 03 Jan 2019 16:33:16 GMT https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3772341#M486610 Mohammed al Baqari 2019-01-03T16:33:16Z https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3772357#M486620 Do you have the PSNs all in one node group with MAR sync? How many PSNs total?<BR /><BR /><BR /> Thu, 03 Jan 2019 16:42:17 GMT https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3772357#M486620 paul 2019-01-03T16:42:17Z https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3772384#M486625 Hi, yes I have all PSNs in same group. In total they are 4<BR /> Thu, 03 Jan 2019 17:28:16 GMT https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3772384#M486625 Mohammed al Baqari 2019-01-03T17:28:16Z https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3773128#M486633 <P>On 1. With high speed and low latency, it's technically LAN speed so I would not expect any issue other than potentially physical disconnects.</P> <P>On 2. With 10 in the same node group appears too much. I would suggest 2 in each group, as it could contribute to more time to authenticate an endpoint when ISE tries querying the other PSNs in the group if the cache not found locally.</P> Fri, 04 Jan 2019 16:40:00 GMT https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3773128#M486633 hslai 2019-01-04T16:40:00Z https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3773138#M486640 Thx for the response. The issue is the MAR cache sync. It only works in the same node group. So in your mind 10 is no good. <BR /><BR /> Fri, 04 Jan 2019 16:51:16 GMT https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3773138#M486640 paul 2019-01-04T16:51:16Z https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3773192#M486644 Yes, that's true<BR /> Fri, 04 Jan 2019 18:16:16 GMT https://community.cisco.com/t5/network-access-control/mar-cache-synchronization-across-large-number-of-psns/m-p/3773192#M486644 Mohammed al Baqari 2019-01-04T18:16:16Z