cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1567
Views
0
Helpful
5
Replies

Impact of high latency between PAN and PSN in ISE distributed deployment

Mohaninj
Cisco Employee
Cisco Employee

In a distributed ISE deployment, what kind of issues are expected when the latency between Primary PAN and any PSN in the deployment goes beyond recommended level of 300ms?

Will that impact the authentication service of the PSN with high latency only or it will impact whole deployment and authentication services of other PSNs? 

5 Replies 5

It will impact the authentication service. I tired this over satellite
links to see the impact and it just don't work. Users will keep
connecting/disconnecting and nothing works. Many errors on PAN.

Basically although PSN performs servicing, there are other functions
performed by PAN including session sync, endpoint sync, etc.

Hi Mohammed
Do you mean that it can impact the authentication service of whole deployment/other PSNs or only the affected PSN.

Regards
Mohan

Hi, i think it must impact only on the affected PSN

Got an update from SME.
If WAN connection becomes unreliable and replication queue on Primary PAN and the affected PSN exceeds certain cut off limit, then it will disconnect the PSN from the deployment.
In such situation, it will not impact the authentication services or database replication of PAN/other PSN’s in the deployment.
I guess, authentication services of PSN with high latency will rely on availability of AD/external identity sources.

For the cut off, the magic number is 1,000,000 pending messages. Once the queue for replication exceeds this, the PSN is disconnected and it then requires a manual resync. I have run in to this issue before.