Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
1
Helpful
1
Replies

is any there information available of how to optimize the search base

Go to solution
Amen
Level 1
Level 1

‎03-06-2023 12:53 PM

is any there information available of  how to optimize the search base for LDAP in ISE?

I have a latency problem with TACACS+ 

13015 Returned TACACS+ Authentication Reply
13014 Received TACACS+ Authentication CONTINUE Request ( [Step latency=5061ms] Step latency=5061ms)
13046 TACACS+ ASCII change password request
13015 Returned TACACS+ Authentication Reply
13014 Received TACACS+ Authentication CONTINUE Request ( [Step latency=4752ms] Step latency=4752ms)
13046 TACACS+ ASCII change password request

This problem is since the beginning of using ISE in our environment. not sure if its a design or Performance  problem or an issue with TACACS+ 

 

Amen_2-1678135980249.png

 

 

 

Amen_1-1678135963674.png

 

 

I try to answer the questions. I don’t know whether we have a latency management because I don’t know the VPN Concentrator.

I can ping from the ISE to jumphost and to the gateway. Here is the output,

 

As for the hardware of the ISE VM, isevm01stu has 24vCPU and 96GB RAM and isevm01ess has 16vCPU and 96GB RAM.

 

Ping to domaincontroller

 

isevm01stu/admin# ping vtsdc10.versatel.local

PING vtsdc10.versatel.local (10.232.68.19) 56(84) bytes of data.

64 bytes from 10.232.68.19: icmp_seq=1 ttl=126 time=1.05 ms

64 bytes from 10.232.68.19: icmp_seq=2 ttl=126 time=1.02 ms

64 bytes from 10.232.68.19: icmp_seq=3 ttl=126 time=0.971 ms

64 bytes from 10.232.68.19: icmp_seq=4 ttl=126 time=0.900 ms

 

We have a big user base in our company, we have in our LDAP following subject base DC=versatel,DC=local

 

and group search base is OU=Teams,OU=CiscoISE,OU=TK,OU=Gruppen,DC=versatel,DC=local

 

You mean we should use the group search base in the subject subject search base start with OU Cisco ISE? What is the difference between search base and group base. Can we use MAC Address or this strip start object to minimize the latency?

 

Amen_0-1678135937336.png

 

 

 

I have a second question if I search in the tacacs live log I see in Network device name not the device name resolved from the NE IP Address via DNS but the network Device Names use to group the IP Networks for the different Profiles. NGN VPN Internet. Is there a possibility to see the DNS Names for the network device IP Address? Can we configure this?

 

 

is it an issue that TAC can solve? or is it a design issue?

Add tags
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tariq Mahmoud
Level 1
Level 1

‎03-08-2023 02:57 AM

For issue#1 The latency:
This latency is seen in the TACACS Continue packet, this packet is received to ISE from the NAD. Usually, if there is no load on ISE and if it's performance is not having issues (you need to check CPU and memory) then this is a network issue. 

What I suggest is to have packet captures taken from ISE, NAD (switch, router) taken at the same time, it will indicate the delay point. 

For issue#2 DNS device name:

The logs indicate the name of the device that you have selected when you added this device to the ISE database. If you want to have the DNS name then you will have to modify the name of the device in the ISE database.

View solution in original post

1 Reply 1

Go to solution
Tariq Mahmoud
Level 1
Level 1

‎03-08-2023 02:57 AM

For issue#1 The latency:
This latency is seen in the TACACS Continue packet, this packet is received to ISE from the NAD. Usually, if there is no load on ISE and if it's performance is not having issues (you need to check CPU and memory) then this is a network issue. 

What I suggest is to have packet captures taken from ISE, NAD (switch, router) taken at the same time, it will indicate the delay point. 

For issue#2 DNS device name:

The logs indicate the name of the device that you have selected when you added this device to the ISE database. If you want to have the DNS name then you will have to modify the name of the device in the ISE database.

Customers Also Viewed These Support Documents