cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2637
Views
1
Helpful
2
Replies

ISE Alarms: Profiler Queue Size Limit Reached

rmavila
Cisco Employee
Cisco Employee

Hi Team,

We have a customer with large ISE deployment with around 300K end points. The cluster has 47 PSN's and is running ISE 1.4.

Customer has started observing alarms on ISE with profiler queue size limit being reached for around 6-7 PSNs. Currently radius and dhcp probes are enabled on ISE. DHCP helper address is configured only for voice and printer SVIs and not for any of the data vlans. Distribution of PSNs on switches were done to distribute the AAA load equally (manual configuration and no LB).

Customer recently faced a issue where a MAC address was spoofed. As part of mitigation, we want to enable dhcp probe on data vlans also and increase the visibility. However, since we already see the profiler queue size limit alarm, we are wary of enabling dhcp profiling on data vlans which could increase the profiler load by large factor.

Is there a work around to this alarm? Is there a way to calculate the profiler load on PSNs so that we can point the dhcp probes to go to PSNs with lesser profile load? Since the sizing of the cluster was done considering the size of the network, are we supposed to hit such a limit on profiler queue.

Any help is appreciated.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Rahul,

Per my very detailed and lengthy discussions on this topic directly with you and account team, you need to first verify that you have optimized the profiler configuration to reduce load.  You should also be on current 1.4 patch, although recommendation is to upgrade to more current ISE 2 release since 1.4 is EOL and reaching end of SW maintenance this year.   If VM appliances, I would also make sure that all of the nodes are configured to spec with resource reservations.  You must also be running on older appliances or specs which are based on 33x5 or 34x5, so that too can limit performance, especially based on the memory allocations assigned to services.

Another benefit of current ISE versions is they will provide more counter details on the specific probe load for each PSN.  In your case, all alarms seem to come from a specific node.   If issues still persist after addressing above, then recommend open a TAC case as Hsing suggested.

Regards,
Craig

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

Recently there was an issue with ISE feed services so it's best to engage Cisco TAC to troubleshoot, if not already.

Craig Hyps
Level 10
Level 10

Rahul,

Per my very detailed and lengthy discussions on this topic directly with you and account team, you need to first verify that you have optimized the profiler configuration to reduce load.  You should also be on current 1.4 patch, although recommendation is to upgrade to more current ISE 2 release since 1.4 is EOL and reaching end of SW maintenance this year.   If VM appliances, I would also make sure that all of the nodes are configured to spec with resource reservations.  You must also be running on older appliances or specs which are based on 33x5 or 34x5, so that too can limit performance, especially based on the memory allocations assigned to services.

Another benefit of current ISE versions is they will provide more counter details on the specific probe load for each PSN.  In your case, all alarms seem to come from a specific node.   If issues still persist after addressing above, then recommend open a TAC case as Hsing suggested.

Regards,
Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: