Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
10
Helpful
1
Replies

ISE (Concurrent Connections)

Go to solution
bepage3
Cisco Employee
Cisco Employee

‎10-18-2018 05:35 AM

  Has anyone created a chart that breaks this down by version?

 

  1. How many concurrent connections are supported by ISE deployment? (by ISE version)
    1. How many PSNs can a deployment have?
  2. How many concurrent connections are supported by each PSN? (by ISE version)
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-18-2018 05:49 AM

Have a look at the ISE Community resources page here

https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621

 

There is a link to scaling - all the figures are there

 

What might not be immediately obvious is that in, e.g. ISE 2.4, the SNS-3595 (biggest box) can handle 20,000 concurrent sessions if the PAN and MnT are combined.  But if you split PAN and MnT into two separate nodes, then suddenly the same PSN node can handle 40,000 concurrent sessions. I have never understood that - but that is how I understand it to work.

Remember that these figures are not magical numbers or hard limits - they are rounded up numbers from empirical lab testing. And you have to remember that the profile of a PSN's load can never be predicted.  You have no idea how many logins per second will hit a PSN.  When EAP auths happen, they hammer away with loads of Radius requests until user is finally logged in.  But once 20,000 sessions are active, then ISE has to maintain them - and this is probably the memory limit and the logging limit that you're up against.  I don't expect that ISE will be doing much at all, if there are not many Radius Accounting requests that will impact the status of those sessions.  A session is not something that should cause a server much stress at all - ISE just has to maintain database integrity and log everything nicely.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎10-18-2018 05:49 AM

Have a look at the ISE Community resources page here

https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621

 

There is a link to scaling - all the figures are there

 

What might not be immediately obvious is that in, e.g. ISE 2.4, the SNS-3595 (biggest box) can handle 20,000 concurrent sessions if the PAN and MnT are combined.  But if you split PAN and MnT into two separate nodes, then suddenly the same PSN node can handle 40,000 concurrent sessions. I have never understood that - but that is how I understand it to work.

Remember that these figures are not magical numbers or hard limits - they are rounded up numbers from empirical lab testing. And you have to remember that the profile of a PSN's load can never be predicted.  You have no idea how many logins per second will hit a PSN.  When EAP auths happen, they hammer away with loads of Radius requests until user is finally logged in.  But once 20,000 sessions are active, then ISE has to maintain them - and this is probably the memory limit and the logging limit that you're up against.  I don't expect that ISE will be doing much at all, if there are not many Radius Accounting requests that will impact the status of those sessions.  A session is not something that should cause a server much stress at all - ISE just has to maintain database integrity and log everything nicely.

Customers Also Viewed These Support Documents