Impact of high latency between PAN and PSN in ISE distributed deployment

Mohaninj · ‎02-19-2019

In a distributed ISE deployment, what kind of issues are expected when the latency between Primary PAN and any PSN in the deployment goes beyond recommended level of 300ms?

Will that impact the authentication service of the PSN with high latency only or it will impact whole deployment and authentication services of other PSNs?

Mohammed al Baqari · ‎02-19-2019

It will impact the authentication service. I tired this over satellite
links to see the impact and it just don't work. Users will keep
connecting/disconnecting and nothing works. Many errors on PAN.

Basically although PSN performs servicing, there are other functions
performed by PAN including session sync, endpoint sync, etc.

Mohaninj · ‎02-19-2019

Hi Mohammed
Do you mean that it can impact the authentication service of whole deployment/other PSNs or only the affected PSN.

Regards
Mohan

ognyan.totev · ‎02-20-2019

Hi, i think it must impact only on the affected PSN

Mohaninj · ‎02-24-2019

Got an update from SME.
If WAN connection becomes unreliable and replication queue on Primary PAN and the affected PSN exceeds certain cut off limit, then it will disconnect the PSN from the deployment.
In such situation, it will not impact the authentication services or database replication of PAN/other PSN’s in the deployment.
I guess, authentication services of PSN with high latency will rely on availability of AD/external identity sources.

Damien Miller · ‎02-24-2019

For the cut off, the magic number is 1,000,000 pending messages. Once the queue for replication exceeds this, the PSN is disconnected and it then requires a manual resync. I have run in to this issue before.