Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
5
Helpful
3
Replies

ACS 5.1 Performance

Paul Williams
Level 1
Level 1

‎11-18-2010 05:18 AM - edited ‎03-10-2019 05:35 PM

First the background - we have four ACS5.1 appliances (all at patch revison 4), Box1 is the management box - so just used for accessing the web interface and setting stuff up, boxes 2 and 3 do the main bulk of the work and box 4 is basically a spare. Box 1 is also acting as the log collector. We have about 1200 NAS devices (cisco switches) and in the region of 12000 devices authenticating.

The question is - should take 40 seconds or more for each click in the web interface to result in a page turnover. i.e. from entering login details, to a usable interface takes 40 seconds, click on any item - and its another 40 seconds....and so on. You can imagine that setting up an Access Ploicy takes a long time.

Any ideas - I had thought about moving the log collector onto the spare box - would this make any difference?

Labels:
0 Helpful
3 Replies 3

Tiago Antunes
Cisco Employee
Cisco Employee

‎11-18-2010 06:13 AM

Hi,

Yes, if you have that many devices then it would improve a lot the performance of box 1 (assume it is the primary) if you move the log collection to another machine which would act uniquely as log collector.

Having 4 ACSs, usually they are configured like BOX1=primary, BOX 2 and BOX3=secondaries and the last one BOX4=log collector.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

dchamorro
Level 1
Level 1

‎11-18-2010 10:46 AM

Paul,

Just throwing it out there, but check the port speed/duplex settings. I had a similar problem and found that my techs had set the port to 100/full.

D.C.

0 Helpful

Paul Williams
Level 1
Level 1
In response to dchamorro

‎11-19-2010 04:01 AM

We did have this issue for a while - however I found it was because I had left  a physcial span tap device in line...removed that and the port on the 6509 that the ACS is conencted to now says 1000/full (on auto negotiation).

I have set up Cisco LMS - Health and Utilisation monitor to see if it is a port overload (as in volume of traffic) and will see where that goes.

In response to teh reply re: moving the logging - tried that and it did not seem to make any difference - if anything it seemed even slower....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents