03-01-2022 11:08 AM
What is considered a healthy ISE authentication latency? And what is considered to be too high? I have not found anything published on this but am curious of other's thoughts. Thanks in advance.
Solved! Go to Solution.
03-06-2022 04:37 PM
It depends. (of course!)
Latency takes many forms but mainly we are talking about it to/from Identity Stores or RADIUS proxies. Typically >300ms is bad and depending on the request load, requests can start to get backed up.
ISE should be co-located near your [AD/LDAP/ODBC/etc] identity stores to eliminate as much latency as possible and to still work in the case of WAN outage. But sometimes you cannot help it : Azure AD, eduroam, etc.
It is typically a symptom of a problem with your identity stores (sizing, loading, VM resourcing, down) or the link to them.
Why is it bad? ISE has to hold the session while waiting... and waiting... and waiting for a response. Depending on the number of incoming requests and how bad the latency is, this can exhaust your ISE PSN's request buffer, causing other requests to go unanswered if you do not have a load balancer.
I have seen it discussed by Clark Gambrel (below) in his Deploying ISE in a Dynamic Environment (Best Practices) - BRKSEC-2059 which is listed under https://cs.co/ise-training and still available in the Cisco Live On-Demand Library.
03-01-2022 06:43 PM
There are several discussions surrounding this question, here are some that I personally liked https://community.cisco.com/t5/network-access-control/ise-authentication-latency-metric/m-p/4188747
https://community.cisco.com/t5/network-access-control/increased-authentication-latency/m-p/3533691
As explained in those discussions too, latency can be due to multiple factors. RADIUS connectivity/timeouts, client side issues or latency between ISE and external identity stores etc.
03-02-2022 06:00 AM
Hi @Ciscorocks ,
beyond what @UdupiKrishna said ... please take a look at ISE > Operations > Reports > Reports > Diagnostics > Key Performance Metrics, a high level overview of key metrics for each PSNs.
Note: special attention to the Avg Latency per Request column (average latency per RADIUS Request for selected PSN Server), a good way to check the "before and after" a Latency issue.
Hope this helps !!!
03-02-2022 08:57 AM
Hi Marcelo,
Thanks for the info. In the deployment I am seeing 0.01 for the Avg Latency per Request for the PSN in question. I would assume this is very low latency? I am not seeing any info as to what is considered high and low values for this column.
Thanks!
03-02-2022 01:28 PM
Hi @Ciscorocks ,
yes, you are correct.
Note 1: remember that it's an average for the last hour, in other words, you can have "spikes"
Note 2: it's important to check this info during the Last 30 Days, just to have an idea of the average in a long period (use the Export to - Repository CSV for a better view).
Hope this helps !!!
03-06-2022 04:37 PM
It depends. (of course!)
Latency takes many forms but mainly we are talking about it to/from Identity Stores or RADIUS proxies. Typically >300ms is bad and depending on the request load, requests can start to get backed up.
ISE should be co-located near your [AD/LDAP/ODBC/etc] identity stores to eliminate as much latency as possible and to still work in the case of WAN outage. But sometimes you cannot help it : Azure AD, eduroam, etc.
It is typically a symptom of a problem with your identity stores (sizing, loading, VM resourcing, down) or the link to them.
Why is it bad? ISE has to hold the session while waiting... and waiting... and waiting for a response. Depending on the number of incoming requests and how bad the latency is, this can exhaust your ISE PSN's request buffer, causing other requests to go unanswered if you do not have a load balancer.
I have seen it discussed by Clark Gambrel (below) in his Deploying ISE in a Dynamic Environment (Best Practices) - BRKSEC-2059 which is listed under https://cs.co/ise-training and still available in the Cisco Live On-Demand Library.
03-06-2022 09:34 PM
Hi Thomas,
Thanks for the information provided. One thing that I am seeing when I test a user's AD credentials in the external identity sources section of the ISE GUI I am seeing these values. Obviously the authentication time and attributes fetching time isn't that high, but the groups fetching time is a little higher. Does this value seem higher than what it should be?
Authentication time : 5 ms.
Groups fetching time : 188 ms.
Attributes fetching time: 3 ms.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide