cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

551
Views
1
Helpful
9
Replies
Cisco Employee

ISE 2.2 AnyConnect VPN Posture module Updates Specifications

The ISE performance and specs guide indicates that a 3595 appliance running ISE 2.3 can process 50 posture authentications per second. That said, we want to transition from compliance module 3.6.x to compliance module 4.2.x  for all our remote VPN users. If we break apart the upgrade into 4 parts, this would mean around 2000 remote users are upgrading their compliance modules around the same time.

What system performance impact could we expect if we were to have 2,000+ users connecting and downloading the new compliance module in a relatively short timeframe with 2 PSN’s in the deployment as well as 4 PSN’s?

-Thomas

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Thomas,

Unfortunately we dont have the metrics for that since posture assessment had been the focus. Also team had done similar testing for BYOD etc on provisioning.

That said, you can create client provisioning policy based on different factors. Please see the screenshot that will give you an idea. So if group organization is a problem you can use NAS, Device groups and other factors for client provisioning policy.

Thanks

Krishnan

9 REPLIES 9
Highlighted
Contributor

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Thomas-

1.  it sounds like you are already handling the posturing of the VPN clients running 3.6x.  The biggest load will be on the ASA cluster that will be distributing the updated 4.2x posture module out to your VPN users. 

2.  "with 2 PSN’s in the deployment as well as 4 PSN’s?"  Did you mean "4 MNT nodes?"


Vince

Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

No, I have some deployments with 2 PSNs and some deployments with 4 PSNs. Both deployments have 2 dedicated admin nodes and 2 dedicated MNT nodes. We are handling the load currently but the concern is when we push the compliance module out all at once.

We can't do a phased approach due to an existing ISE bug (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg01627)

Contributor

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Thomas-

if possible to reduce that load you can try to use the offline installers for the compliance agents and push it out in phases to help with the load.

https://supportforums.cisco.com/t5/aaa-identity-and-nac/ise-compliance-module/td-p/2648577

HTH-

Vince

Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Vince,

Thank you for your suggestions. I am hoping the ISE TME group will put in a response as well as this would be a great field to add to the overall ISE specs document.

-Thomas

Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Hi Thomas,

You can upgrade Anyconnect from ASA as well, as Vince said. If that is the case, then you have to more understand ASA performance for 2000k users. Also I am not sure why you are saying all the 2000k remote users get upgraded at the same time. Upgrade happens only when you connect to ASA and not during the VPN session.

Are you saying all the users will connect via VPN at the same time. Please clarify.

Thanks

Krishnan

Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Krishnan,

We have thousands of remote users who authenticate across the VPN every morning. They won't all connect at once, but we can expect them to authenticate within a short period of time as users come online for the workday. Once the users are connected to the VPN, the posture module in anyconnect discovers ISE, checks for updates and then performs the posture checks. My question is centered around pushing the compliance module from ISE to each client after the VPN session is established and the effects it will have on the ISE policy nodes themselves. If all the load is on the ASA, then great, but my concern is the load, if any, that will be seen on the policy node as we push out the new compliance module.

Do you believe there would be a noticeable increase in the load on the ISE policy nodes as we are pushing out the new compliance module?

-Thomas

Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Thomas,

I have asked Engineering to provide further inputs.

Meantime if you look at the ISE performance and scale, it might be similar to BYOD Single/dual SSID provisioning numbers or slightly worse. I would suggest try this with limited set of users by creating client provisioning policy to update compliance module only in ISE.

-Krishnan

Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Krishnan,

Thank you for reaching out to the engineering team. I look forward to their response. Our plan is to only upgrade the compliance module for a select number of users at a time but due to the structure of our users and deployments that still includes up to 2000 users within the morning time frame. We are also looking at creating and testing new client provisioning policies based on AD group to further narrow down the users which receive the new update. That said, knowing the impact  on the ISE policy nodes for the total amount of users will help us plan out our compliance module upgrades.

-Thomas

Cisco Employee

Re: ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Thomas,

Unfortunately we dont have the metrics for that since posture assessment had been the focus. Also team had done similar testing for BYOD etc on provisioning.

That said, you can create client provisioning policy based on different factors. Please see the screenshot that will give you an idea. So if group organization is a problem you can use NAS, Device groups and other factors for client provisioning policy.

Thanks

Krishnan