Solved: Re: ISE concurrent connections query

sondevi · ‎02-21-2019

Hi Team,

I have query regarding ISE HW 3595/ OS 2.3 concurrent connections limit into distributed deployment, there are 8 nodes- 2 PAN+MnT (1 node – Primary PAN & Standby MnT, 1 node – Standby PAN and primary MnT) and rest are dedicated PSN nodes.

I went through the below document regarding ISE scalability and performance:

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

CU scenario becomes the above mentioned first case or second one. (if MnT is standby on primary PAN, it will be consider PAN and MnT on single node or dedicated node as shown in above screenshot?). Means connection limit will be 20k or 500,000 on single PSN node?
Connections are counted per user session/per device access?

Damien Miller · ‎02-21-2019

When the PAN and MNT are hosted on the same physical of virtual appliance like the scenario you presented, then your upper bounds for scale on the 3595's is 20,000 active endpoints. This would be as reported by the ISE dashboard "active endpoints" counter.

In order to increase your scale, there are two options. Breaking the PAN and MNT roles out on to their own servers, thus allowing you to scale up to 500,000 endpoints (40k active per PSN), on 3595 hardware. The other option that has recently been opened up is with the 3600 series appliances and 2.6, scale for a hybrid deployment on the 3600's can go beyond 20k active. It is not yet documented in the performance and scale document you linked.

Active endpoints are endpoints connected to the network that ISE is authenticating. An endpoint is a single mac address that has been processed, and that ISE is ideally receiving radius accounting/stop/start updates for. If ISE doesn't see a radius stop, the endpoint stays in the active session count until it times out in 5 days. So active sessions are counted per mac address, this can lead to the same machine having two active sessions if it was connected with two nics.

View solution in original post

Damien Miller · ‎02-21-2019

When the PAN and MNT are hosted on the same physical of virtual appliance like the scenario you presented, then your upper bounds for scale on the 3595's is 20,000 active endpoints. This would be as reported by the ISE dashboard "active endpoints" counter.

In order to increase your scale, there are two options. Breaking the PAN and MNT roles out on to their own servers, thus allowing you to scale up to 500,000 endpoints (40k active per PSN), on 3595 hardware. The other option that has recently been opened up is with the 3600 series appliances and 2.6, scale for a hybrid deployment on the 3600's can go beyond 20k active. It is not yet documented in the performance and scale document you linked.

Active endpoints are endpoints connected to the network that ISE is authenticating. An endpoint is a single mac address that has been processed, and that ISE is ideally receiving radius accounting/stop/start updates for. If ISE doesn't see a radius stop, the endpoint stays in the active session count until it times out in 5 days. So active sessions are counted per mac address, this can lead to the same machine having two active sessions if it was connected with two nics.

sondevi · ‎02-21-2019

Hi Damien, thanks for quick reply.

my 1st query is clear now and same i was hoping to have.

for second query, CU has TACACS packets(Device admin) only, so connection count will be per user/per device based?

There is one option-""Enable Single Connect Mode" Documented- Check to use a single TCP connection for all TACACS+ communication with the network device.

Choose one of the following:

Legacy Cisco Devices
Or, TACACS+ Draft Compliance Single Connect Support. If you disable Single Connect Mode, ISE uses a new TCP connection for every TACACS+ request."To use the above option, can help in scaling into 20k PSN limit per CU's scenario.

Jason Kunst · ‎02-21-2019

Up to 50k endpoints active are supported with 3695 in a stand-alone or hybrid pan/mnt on same box environment