Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
20
Helpful
3
Replies

Factors that limits maximum concurrent sessions in ISE distributed deployment

Mohaninj
Cisco Employee
Cisco Employee

‎02-19-2019 10:43 PM

What are the factors/dependencies that limits the maximum concurrent sessions & number of PSN’s in a Hybrid & dedicated distributed deployments.

Why there is a huge difference between hybrid and dedicated ISE deployment in max supported concurrent sessions (20K and 500K sessions)& number of PSN’s (5 & 50 PSNs). Just by adding of two dedicated MNT's in dedicated distributed mode is drastically improving the number of sessions and PSN's, how exactly this works?

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎02-23-2019 02:24 PM

Good question.  The MnT node has always been a bit of  a special beast.  I suppose it comes down to the fact that the dedicated MnT node will only need to log a lot of SYSLOG data, as opposed to having to manage the Session Database as well (PAN role).

The PSN's are still restricted to 20K concurrent sessions, whether you have a 5 node setup, or a 50 node setup.  But when you do the maths, 50 * 20K = 1 Milion - this is more than the stated supported max of 500,000 concurrent sessions.

 

I don't think any of this is exact maths/science and the BU are simply quoting numbers that we should align ourselves to.  Would you feel good having more than 20,000 concurrent sessions per PSN?  Maybe better to spread the load out a bit.  I see that in ISE 2.6 the scalability numbers have increased again.  SNS-36xx has more horsepower.  

 

I still feel that a machine with 8 cores and 64GB of RAM can do a lot more than what's quoted on the ISE data sheet.  The use of a traditional SQL database and the Java engine seems to be the biggest bottleneck.

Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎02-23-2019 03:31 PM

I would agree with you there. I've witnessed 50k active on a single 3595, not an issue to be seen with the PSN taking it. Most of the load issues I have had are with the PAN or MNT.

In a hybrid deployment, both of these are personas are contending for the same node resources, the MNT being heavy on disk (cpu too at times), while the PAN is heavier on CPU. I think it creates the perfect storm of load and they aren't capable of spreading it out like PSNs.

The part I have never really understood with scaling ISE is why a 2 node standalone deployment has the same scale as a 7 node hybrid. The 2 node deployment is doing more work on the same boxes as the PAN/MNT personas, while the hybrid is moving that authentication load off to PSNs. In theory one would expect to have more active endpoints capability if the auth, profiling, posture, etc was moved to the PSNs.

This doesn't even touch on my qualms with measuring scale in active endpoints, no two deployments have the same load with the same 10k endpoints.

Mohaninj
Cisco Employee
Cisco Employee
In response to Damien Miller

‎03-05-2019 08:00 PM

Thanks Arne and Damien for your response. 

0 Helpful
Customers Also Viewed These Support Documents