ISE issue while users are high

rys · ‎08-27-2015

HI Friends,

We recently installed ISE in our company for guest access and using hotspot feature for authentication.

we have 3 ISE nodes in VM, admin, moni and policy. all having 32 GB RAM and minimum of 300GB HD.

The issue is we getting user complaints, when there are high number of users are connecting and no much complaints when the users are less.

When checking the cpu, memory, all seeing fine from the ISE.

On the VM, we notices, the policy node usage is low, but consumed memory is high. I have attached the graph here.

Can anyone advice, why this much memory is consumed and anyway to lower the consumed memory ?

Any limitation in the number of sessions ISE can handle ?

Thanks

rYs

M. Wisely · ‎08-28-2015

Am I understanding this correctly that you only have one Policy node or are all 3 policy nodes?

How many guest users are you talking about at peak times?

rys · ‎08-30-2015

HI Martin,

its one policy node, during the issue happens the users about 900 -1000 in range..

When there is only ~500 users, no complaints.

Thanks

M. Wisely · ‎08-31-2015

I would suggest enabling making the other nodes into policy nodes (as well as the other admin and monitoring) to spread the load at least until the bug i patch 3 is resolved. This also has the benifit of increasing redundancy.

ajc · ‎08-31-2015

Hi Martin,

What is the bug you are talking about?. I have multiple ISE appliances, distributed environment with primary/sec PAN, MNT Nodes + 10 PSN's. I am currently testing 1.4 patch 3 for AUTHC reasons using PEAP + AUP so I would like to know about any concurrent sessions limitation on that 1.4 version. 3395 is supposed to manage using CWA around 10K concurrent sessions and 3495 around 20K.

thanks

ajc · ‎08-30-2015

What is the version you are using?.

I just recently started using hotspot on ISE 1.4 patch 3 and looks like it has a bug because it keeps sending me back to the success page. Could you explain exactly what is the behavior?. I am using VM in my lab environment and the performance is extremely poor in terms of replication from PAN to PSN unless the PAN and PSN are the same VM.

number of sessions at least when you are using 3395 appliance is 10K for CWA, doublecheck the VM resources again.

rys · ‎08-30-2015

Hi Abraham,

We are using ver 1.4 and did the patch 3 also.

The issue always occurs when the user count is nearly 1000, users complaint they cannot connect to wireless. when we checking, users are getting IP address, but not getting the AUP page from the PSN. All the ISE nodes are running on VM.

We increase the RAM to 32GB and 8 Core cpu for better response, but didnt help.

Any limitation in the number users PSN can handle those running in VM ?

Thanks

ajc · ‎08-31-2015

Hi riyas,

One more question, what is the AUTHC mechanism you are using?.

Based on my own experience if you are using for example LWA, there is a severe limitation on the number of concurrent users who can connect to the wireless and an ISE java process does not work properly affecting the actual capacity of the network.

rys · ‎08-31-2015

Hi Abraham,

We using MAB+AUP for endpoint authentication. We broadcasting the Guest SSID across the campus, and the MAC address retain in the ISE DB for 120 hrs.

Thanks

ajc · ‎09-01-2015

Hi Riyas,

Are you are using CWA (which includes MAB Policy) with AUP acceptance required using the GuestDefaultPortal on the AUTHZ Profile OR HotSpot Feature?.

In any case, I am proceeding to make a question to the TAC Engineer about this because we are moving into a similar scenario like yours.

thanks

rys · ‎09-01-2015

Hi Abraham,

Yes, we using CWA, with MAB policy with AUP accepatance for authentication and an authorization profile for access-accept.

I also have a concern on the number of limitaions in WLC, we are using Foreign-Anchor WLC setup and ISE for guest access.

Thanks