Solved: ISE with AD High CPU

dcambron · ‎05-24-2016

Hi,

I have a customer with a deployment of 8 ISE nodes using 1.4p7, this deployment is integrated with Active Directory. They are expeciencing high CPU (100%) in one of the Windows 2003 controllers and when this happens the authentication stops working, they have a total of ## Domain Controllers. We need to do a kind of blacklist so the ISE never comunicates with this DC.

Regards,

howon · ‎05-24-2016

Diego, I suggest having your customer contact TAC for further assistance on this.

View solution in original post

howon · ‎05-24-2016

Is ISE causing the high CPU on the AD server or are you saying high CPU on AD is causing the ISE to stop authenticating? If ISE is the cause, I suggest opening a TAC case to find the root cause.

dcambron · ‎05-24-2016

That is customer's question, if the ISE is causing the High CPU. When the DC has High CPU the authentication stops working and we see a message saying that the Join Domain is unavailable. Probably it is because the DC cannot reply to ISE authentication requests.

howon · ‎05-24-2016

Diego, I suggest having your customer contact TAC for further assistance on this.

dcambron · ‎05-24-2016

Actually we have a case open. Thanks

Derron Carstensen · ‎05-24-2016

I've seen this once before when a misconfigured Authentication design caused thousands of authentications to be sent to AD before they were processed by ISE locally. It caused a spike in CPU usage on the Domain Controller(s) until the Authentication design was re-mediated to send only to ISE.

Not saying this is your issue, but it can cause the same symptom. Verify in your ISE detailed authentication logs (or reports) that you aren't seeing authentications going to AD that shouldn't be.

Just two cents.