Solved: ISE Performances Proactive Monitoring

jolefebv · ‎10-25-2019

Hello dear community!

I would need your help in order to find ways to monitor ISE performances. My customer had an outage recently where ISE radius latency got really high (over 12k). This situation was caused by ISE being overwhelmed with misbehaving clients.

Currently, the only way that we have to monitor ISE is to have a look at the Health summary report.

Here are some examples from my lab ->

I would need your help in order to answer the following questions:

At what latency should we start worrying ? (If this question is answered, I believe that some alarms could be configured.)
Is the radius latency present in the report the highest peak or a daily average ? (not sure either)
Ideally, it would be great to see which clients would be guilty. Any ideas other than radius authentication reports and hoping for the best ? Filtering through it is a bit tedious for my customers ...

Kind regards,

Jonathan

Arne Bier · ‎10-25-2019

I have resorted to subscribing to ISE Alarms of various severities and then having emails sent out when the alarms trigger. It's primitive and not the most efficient way, but it gets the attention.

Latency is a tricky one - maybe others can comment - I have seen good performance even at around 200ms latency. Perhaps place the PSN closer to those NAS's if possible? If using VM's, are the VM's configured to reserve the resources exclusively (just checking the obvious stuff TAC would ask) ?

For one of our customers we log into ISE daily and check the dashboard and some other bits. It's manual and tedious. I would also welcome a better way to get this data via a consolidated and Cisco ..... CUSTOMIZABLE Report!!! ACS had brilliant customizable reports. We dumped ACS like a hot potato and all that goodness never got replaced. I would like to see that feature come back.

View solution in original post

Arne Bier · ‎10-25-2019

I have resorted to subscribing to ISE Alarms of various severities and then having emails sent out when the alarms trigger. It's primitive and not the most efficient way, but it gets the attention.

Latency is a tricky one - maybe others can comment - I have seen good performance even at around 200ms latency. Perhaps place the PSN closer to those NAS's if possible? If using VM's, are the VM's configured to reserve the resources exclusively (just checking the obvious stuff TAC would ask) ?

For one of our customers we log into ISE daily and check the dashboard and some other bits. It's manual and tedious. I would also welcome a better way to get this data via a consolidated and Cisco ..... CUSTOMIZABLE Report!!! ACS had brilliant customizable reports. We dumped ACS like a hot potato and all that goodness never got replaced. I would like to see that feature come back.

jolefebv · ‎10-31-2019

Hi Arne!

It's indeed a virutalised environment, VMs ressources are attributed properly. The main issue is that they had quite some misbehaving clients. A mix of misconfiguration made them sink their own ISE node under an overwhelming flow of authentication requests.

Unfortunatly, they didn't really have any mechanism in place to alert them that something was going on until it was too late ... This is why I am currently looking into finding what could potentially help them out. ISE isn't very rich for that and I agree that alerts would already be a good thing (either mail or syslog). However, it is difficult to configure alerts without knowing what can actually be worrying and what should be ignored.