05-16-2019 08:55 AM
Hello all,
I just had a group of coworkers run a stress test on our ISE guest hotspot access to get a feel for performance and end user experiences. Of those who participated, 86% of them reported that it took anywhere between 3 to 4 Website attempts before they received the URL redirect to the AUP page. I've noticed this behavior when I've tested for myself. Is there any reason why this would be happening? I'm running ISE 2.3 patch 6 with WLC code 8.5.140.0.
Terence
05-16-2019 09:48 AM
05-16-2019 11:03 AM
Jason,
I am running a distributed deployment with two PANs/MnTs along with two PSNs. All appliances are virtual running on VMware using the OVA file to spin up the VM hardware resources. The number of users actively testing were approximately 10 (production guest users is estimated to be around 600 to 900 endpoints). Not sure about attempts per second. Here is a screenshot of the VM resource summary:
05-16-2019 12:08 PM
05-16-2019 12:15 PM
Hey Jason,
I think TAC may be the best route to go at this point. Again, it doesn't happen to everyone and it appears to be random. The version of ISE I'm on is 2.3 patch 6 and it's not in production but we're ready to start moving it into production. I'm afraid to move to a higher release because I had a TAC case opened from June of 2018 that only got resolved when patch 6 for 2.3 was released back in March of this year. The issue went all the way up to the BU so it pushed our deployment back for almost a year. Due to this, I'm very hesitant to upgrade lest I run into an issue to further delays our deployment.
05-16-2019 12:48 PM
05-16-2019 12:57 PM
Jason,
I think you're right on this one. It's better to do it now when we're not in production versus waiting until we are in production and then find that we need to upgrade and disrupt the entire network.
Thanks!
05-16-2019 01:37 PM
05-16-2019 03:00 PM
DNS plays a big part. Have you checked that DNS resolution works every time? If users are simply retrying the web page a few times and not actually disconnect/reconnecting to the Wi-Fi I'd look at this first. You could have a flaky DNS server somewhere.
If DNS is ok, review the ISE Live Logs to see if users authenticate and authorize properly each time they connect. The logs are invaluable most of the time.
Do they hit the right ISE rule for CWA URL to be pushed to the WLC?
Does the WLC have intermittent issues with RADIUS servers? (Can you see anything in the WLC logs?)
Do the clients have a good Wi-Fi signal?
Is the CWA ACL at the WLC configured correctly? (DNS servers all allowed, correct portal IP and ports allowed for both PSNs?)
As Jason said, there's lots we need to know, but I'd start with the above. You might be able to work it out from there.
05-17-2019 05:31 AM
Craig,
As for the policy with ISE, clients authenticate to the correct policy each time. This particular issue is hit or miss as it doesn't happen every time. There are times in which I get redirected immediately and other times it takes a few tries before being redirected. I haven't considered DNS so I'll look into running a capture from start to finish and seeing what my response time is for DNS.
05-17-2019 07:13 AM
I ran another test on our guest hotspot and got the URL redirect immediately. Response time for network and application looks good.
05-17-2019 09:04 AM
05-17-2019 09:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide