Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1052
Views
0
Helpful
6
Replies

MAR Cache Synchronization across large number of PSNs

Go to solution
paul
Level 10
Level 10

‎01-02-2019 10:26 AM - edited ‎01-03-2019 05:50 AM

 

 

I have a large deployment with 10 PSNs spread between two datacenters.  The two datacenters are in the same city with very high speed low latency links (sub 10 ms) running between them.   Functionally they can be considered the same LAN.

 

Current I have the 5 PSNs in each datacenter configured into their own node group with MAR cache sync turned on.  All RADIUS authentication is sent to DC 1 with DC 2 as backup.   This means DC1's MAR cache will be accurate, but in the event of a failover to DC2 it won't have an accurate MAR cache meaning any rules using MAR cache attribute would fail.

 

I am debating putting all 10 PSNs into the same node group and want to know the thoughts about doing this:

 

  1. I know technically node groups aren't supposed to span sites, but honestly DCs in the same city with high speed/low latency interconnects is that really a problem?
  2. Is 10 nodes in a node group with MAR cache synchronization a concern?

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-04-2019 08:40 AM

On 1. With high speed and low latency, it's technically LAN speed so I would not expect any issue other than potentially physical disconnects.

On 2. With 10 in the same node group appears too much. I would suggest 2 in each group, as it could contribute to more time to authenticate an endpoint when ISE tries querying the other PSNs in the group if the cache not found locally.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-03-2019 08:33 AM

I don't see this a problem. I have PSN deployments between two countries
with 60 msec deployments and things are running smoothly.

The problem with MAR itself and its stability. I have seen MAR behaving
strange which finally made me move to EAP-FASTv2 which links user and
machine authentication natively.

I read many cisco articles and posts about same problems of MAR which I was
facing such as losing sync between user and machine auth that cause
intermittent loss of connection, users logoff but don't get connection
after login, etc
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Mohammed al Baqari

‎01-03-2019 08:42 AM

Do you have the PSNs all in one node group with MAR sync? How many PSNs total?


0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to paul

‎01-03-2019 09:28 AM

Hi, yes I have all PSNs in same group. In total they are 4
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-04-2019 08:40 AM

On 1. With high speed and low latency, it's technically LAN speed so I would not expect any issue other than potentially physical disconnects.

On 2. With 10 in the same node group appears too much. I would suggest 2 in each group, as it could contribute to more time to authenticate an endpoint when ISE tries querying the other PSNs in the group if the cache not found locally.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to hslai

‎01-04-2019 08:51 AM

Thx for the response. The issue is the MAR cache sync. It only works in the same node group. So in your mind 10 is no good.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to paul

‎01-04-2019 10:16 AM

Yes, that's true
0 Helpful
Customers Also Viewed These Support Documents
Top