Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2459
Views
7
Helpful
5
Replies

Maximum value for the round trip latency between ISE and WLC

javi.laracil
Level 1
Level 1

‎12-08-2016 11:34 PM - edited ‎03-11-2019 12:17 AM

Hello, just a short question.

We have 2 WLCs in China and the ISE Server is in Germany. There is between 200ms and 300ms latency between the Server and the WLCs.

We use CWA guest portal redirection. We are having troubles with the users in China, the guest portal takes too long to load and the redirection also takes a while.

How can we improve it? We are using ISE 1.2, if we upgrade to ISE 2.1 would it be better? Which are the timers I need to fine tune to improve the experience for China users?

The users in Germany have no complaint.

Thanks!

Labels:
0 Helpful
5 Replies 5

Gagandeep Singh
Cisco Employee
Cisco Employee

‎12-09-2016 08:13 AM

You can tweak below EAP timers on WLC.

https://supportforums.cisco.com/document/46101/eap-timers-wireless-lan-controllers

Regards

Gagan

ps : rate if it helps!!!!!

javi.laracil
Level 1
Level 1
In response to Gagandeep Singh

‎12-12-2016 12:03 AM

Thanks, I already saw that post.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎12-09-2016 11:44 AM

The max supported round-trip delay is 300ms. However, I usually recommend no more than 200 or otherwise you start seeing performance issues such as the ones that you describe. 

The best way to remediate is to place an ISE PSN in China and join it to the existing ISE deployment. You can configure the local WLC to use the local PSN as primary RADIUS server and the one in Germany as backup. 

I hope this helps!

Thank you for rating helpful posts!

javi.laracil
Level 1
Level 1
In response to nspasov

‎12-12-2016 12:05 AM

I don't think they want to spend any more money. They told me to develop a local solution only using the controllers. Thanks for the proposal.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to javi.laracil

‎12-12-2016 10:58 AM

I hear you that spending more $$ is not ideal but there are a few things to keep in mind here:

1. You can use a virtual server, thus save a lot of money compared to purchasing a physical appliance. I understand that you will need to have a virtual environment local but it is just a thought

2. You don't have to purchase licenses as those are only purchased once for the whole ISE deployment. You can have 40 servers but you are still only required to purchase licenses once. 

If those are not an option then and you have a controller locally then you can do LWA (Local Web Authentication) where the web page would sit on the controller. The problem that you need to resolve is who/what is going to be your AAA server (since it cannot be ISE). I have seen some customers use their local domain controllers by turning on NPS. 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents