Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2208
Views
0
Helpful
7
Replies

ISE Reauthentication - taking long time

Abdulaziz Loonat
Level 1
Level 1

‎01-26-2023 04:52 AM

Using ISE 2.7 Patch 8

since we upgraded to the above patch I have noticed reauthentication from the Meraki Wireless AP taking longer to reauthenticate

Looking on ISE, I have noticed the following at the time the issue occurs

Received RADIUS Access-Request (step latency=22240 ms Step latency=22240 ms)

Trying to work out if the issue is with the access point or ISE

I am new to ISE as well, so can somone confirm what could be the reason for this long delay.

I am wondering is it packet loss from access point to the RADIUS server

 

 

1 person had this problem
0 Helpful
7 Replies 7

ahollifield
VIP
VIP

‎01-26-2023 06:14 AM

What is the network path between the MR and ISE?  What is the ID store?  

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

0 Helpful

Abdulaziz Loonat
Level 1
Level 1

‎01-26-2023 07:07 AM

The hops between the MRE and ISE is 8

This is effecting multiple offices, the only common factor is the ISE device is a data centre. Offices are connected via SD WAN to the data centre

As I am new to ISE, I assume the ID store is Active Directory

0 Helpful

ahollifield
VIP
VIP
In response to Abdulaziz Loonat

‎01-26-2023 07:36 AM

How do the resources on ISE look?  What is your deployment type?  Are you within the scale limits? https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

0 Helpful

Arne Bier
VIP
VIP

‎01-26-2023 12:52 PM

If ISE PSNs are hosted on VMs, and if you have access to the VM Management, then perhaps look at a trend in CPU performance or disk IO activity. If the patch did some weird stuff then you're likely to spot it in historical trending.  ISE also records its own performance but I prefer to see it from the hypervisor's perspective.

You could also see whether you have Session Resume enabled on your EAP-XXX protocols in ISE. That should eliminate some of the TLS overhead. And stateless session resume is also a nice performance tweak.  

0 Helpful

Abdulaziz Loonat
Level 1
Level 1

‎01-26-2023 01:36 PM - edited ‎01-26-2023 01:37 PM

We run ISE on a appliance box, Model is 3615, which meets the setup we have in terms of endpoints.

I ask this, we didnt have this issue before we applied patch 8

0 Helpful

Marcelo Morais
VIP
VIP
In response to Abdulaziz Loonat

‎01-27-2023 10:07 PM

Hi @Abdulaziz Loonat ,

 since you " ... didn't have this issue before we applied Patch 8 ... ", could please share the result of the following command:

ise/admin# show version history

Regards

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-04-2023 06:03 PM

@Abdulaziz Loonat : Take a look at README_Hotpatch_CSCwc74531_and_CSCwd45843.txt and consider apply it.

0 Helpful
Customers Also Viewed These Support Documents