cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3563
Views
1
Helpful
9
Replies

ISE 2.2 AnyConnect VPN Posture module Updates Specifications

Thomas Wall
Cisco Employee
Cisco Employee

The ISE performance and specs guide indicates that a 3595 appliance running ISE 2.3 can process 50 posture authentications per second. That said, we want to transition from compliance module 3.6.x to compliance module 4.2.x  for all our remote VPN users. If we break apart the upgrade into 4 parts, this would mean around 2000 remote users are upgrading their compliance modules around the same time.

What system performance impact could we expect if we were to have 2,000+ users connecting and downloading the new compliance module in a relatively short timeframe with 2 PSN’s in the deployment as well as 4 PSN’s?

-Thomas

1 Accepted Solution

Accepted Solutions

Thomas,

Unfortunately we dont have the metrics for that since posture assessment had been the focus. Also team had done similar testing for BYOD etc on provisioning.

That said, you can create client provisioning policy based on different factors. Please see the screenshot that will give you an idea. So if group organization is a problem you can use NAS, Device groups and other factors for client provisioning policy.

Thanks

Krishnan

View solution in original post

9 Replies 9

vrostowsky
Level 5
Level 5

Thomas-

1.  it sounds like you are already handling the posturing of the VPN clients running 3.6x.  The biggest load will be on the ASA cluster that will be distributing the updated 4.2x posture module out to your VPN users. 

2.  "with 2 PSN’s in the deployment as well as 4 PSN’s?"  Did you mean "4 MNT nodes?"


Vince

No, I have some deployments with 2 PSNs and some deployments with 4 PSNs. Both deployments have 2 dedicated admin nodes and 2 dedicated MNT nodes. We are handling the load currently but the concern is when we push the compliance module out all at once.

We can't do a phased approach due to an existing ISE bug (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg01627)

Thomas-

if possible to reduce that load you can try to use the offline installers for the compliance agents and push it out in phases to help with the load.

https://supportforums.cisco.com/t5/aaa-identity-and-nac/ise-compliance-module/td-p/2648577

HTH-

Vince

Vince,

Thank you for your suggestions. I am hoping the ISE TME group will put in a response as well as this would be a great field to add to the overall ISE specs document.

-Thomas

Hi Thomas,

You can upgrade Anyconnect from ASA as well, as Vince said. If that is the case, then you have to more understand ASA performance for 2000k users. Also I am not sure why you are saying all the 2000k remote users get upgraded at the same time. Upgrade happens only when you connect to ASA and not during the VPN session.

Are you saying all the users will connect via VPN at the same time. Please clarify.

Thanks

Krishnan

Krishnan,

We have thousands of remote users who authenticate across the VPN every morning. They won't all connect at once, but we can expect them to authenticate within a short period of time as users come online for the workday. Once the users are connected to the VPN, the posture module in anyconnect discovers ISE, checks for updates and then performs the posture checks. My question is centered around pushing the compliance module from ISE to each client after the VPN session is established and the effects it will have on the ISE policy nodes themselves. If all the load is on the ASA, then great, but my concern is the load, if any, that will be seen on the policy node as we push out the new compliance module.

Do you believe there would be a noticeable increase in the load on the ISE policy nodes as we are pushing out the new compliance module?

-Thomas

Thomas,

I have asked Engineering to provide further inputs.

Meantime if you look at the ISE performance and scale, it might be similar to BYOD Single/dual SSID provisioning numbers or slightly worse. I would suggest try this with limited set of users by creating client provisioning policy to update compliance module only in ISE.

-Krishnan

Krishnan,

Thank you for reaching out to the engineering team. I look forward to their response. Our plan is to only upgrade the compliance module for a select number of users at a time but due to the structure of our users and deployments that still includes up to 2000 users within the morning time frame. We are also looking at creating and testing new client provisioning policies based on AD group to further narrow down the users which receive the new update. That said, knowing the impact  on the ISE policy nodes for the total amount of users will help us plan out our compliance module upgrades.

-Thomas

Thomas,

Unfortunately we dont have the metrics for that since posture assessment had been the focus. Also team had done similar testing for BYOD etc on provisioning.

That said, you can create client provisioning policy based on different factors. Please see the screenshot that will give you an idea. So if group organization is a problem you can use NAS, Device groups and other factors for client provisioning policy.

Thanks

Krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: