Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
0
Replies

ISE application server VS ACS management interface VS aaa traffic

marco.merlo
Level 1
Level 1

‎03-15-2016 04:07 AM - edited ‎03-10-2019 11:34 PM

Hi to all,

our old friend ACS has a clear distinction between management process and authentication runtime:

ACS/admin# show application status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'adclient'                  running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

This means that if management interface has to be restarted  aaa requests are still handled during mgt  process restart.

Now giving at look at ISE things seems pretty different:

ISE-TO-CVL-SVIL/admin# show application status ise

ISE PROCESS NAME                       STATE            PROCESS ID  
--------------------------------------------------------------------
Database Listener                      running          623         
Database Server                        running          41 PROCESSES
Application Server                     running          24687       
Profiler Database                      running          3298        
AD Connector                           running          5969        
M&T Session Database                   running          3211        
M&T Log Collector                      running          5635        
M&T Log Processor                      running          5581        
Certificate Authority Service          running          5537        
SXP Engine Service                     disabled                     
pxGrid Infrastructure Service          disabled                     
pxGrid Publisher Subscriber Service    disabled                     
pxGrid Connection Manager              disabled                     
pxGrid Controller                      disabled                     
Identity Mapping Service               running          5862        

but this output 

ISE/admin# show ports | begin  24687

Process : jsvc.exec (24687)
     tcp: 127.0.0.1:8888, :::61493, :::9080, ::ffff:10.16.168.251:8443, ::ffff:172.20.38.100:8443, :::443, ::ffff:172.20.38.100:8444, :::9085, :::9024, :::90
90, ::ffff:127.0.0.1:2020, :::9060, :::9990, :::8905, :::8009, :::5514, :::9002, :::1099, :::18380, :::8910, :::61616, :::80
     udp: 0.0.0.0:11831, 10.16.168.251:13628, 172.20.38.100:12237, 10.16.168.251:3799, 172.20.38.100:3799, 10.16.168.251:1645, 172.20.38.100:1645, 10.16.168.
251:1646, 172.20.38.100:1646, 10.16.168.251:1812, 172.20.38.100:1812, 10.16.168.251:1813, 172.20.38.100:1813, 10.16.168.251:1700, 172.20.38.100:1700, 0.0.0.0
:56748, :::30514, ::ffff:172.20.38.100:67, ::ffff:172.20.38.100:8905, fe80::250:56ff:fe92:a14:8905, ::ffff:10.16.168.251:8905, fe80::250:56ff:fe92:f1a:8905,
fe80::250:56ff:fe92:ebd:8905, fe80::250:56ff:fe92:8b3:8905, fe80::250:56ff:fe92:a141:547

shows that in ISE jsvc.exec process manages both portals/mgt interfaces (10.16.168.251:8443, :::443) and radius sockets ( 10.16.168.251:1812, 172.20.38.100:1812, 10.16.168.251:1813, 172.20.38.100:1813).

So my question is: what does happen when an admin certificate has to be installed renewed on ISE? On ACS we get a mgt interface restart with no aaa traffic disruption, has everyone information about aaa traffic when ISE application server is restarting?.

Regards

MM 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents