Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10167
Views
15
Helpful
5
Replies

RECOMMEDED LATENCY BETWEEN NAD AND ISE NODES

Go to solution
kajibola
Level 1
Level 1

‎06-07-2018 10:43 PM

For ISE nodes inter-communication there is a recommended latency of 300ms for ISE 2.1 and above.

What about latency for communication between network access devices (Switch and WLCs) and ISE nodes? Any recommendation?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Nadav

‎06-13-2018 06:00 PM

Replication occurs between primary PAN and all secondary nodes.  A secondary node is every other node (Secondary PAN, MNT, PSNs, pxGrid) as they each receive a backup of config.

Here is guidance I provide on latency from BRKSEC-3699...

     Latency guidance is not a “fall off the cliff” number, but a guard rail based on what QA has tested.  Not all customers have issues with > 300ms while others may have issues with < 100ms latency due to overall ISE design and deployment.  Profiler config is primary determinant in replication requirements between PSNs and PAN which translates to latency. When providing guidance, max 300ms roundtrip latency is the correct response from SEs for their customers to design against.

/Craig

View solution in original post

5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-07-2018 11:07 PM

Five seconds for the entire process is something you will want to stay under. I say the "entire process" because the RTT between the NAD and ISE is just one aspect you must account for.  You must also keep in mind that once a radius request has been sent to ISE you often have an external lookup to LDAP/AD. 

I have seen issues in the field where WLC's were configured with 1000ms radius timeout resulting in a reauth from the WLC to ISE before the original reply could be sent back.  This resulted in failed authentications and repeated authentication attempts at time of congestion or high load. 

It really comes down to how the NADs are configured, an example would be the default radius timeout of 5 seconds on a 3850.  If the reply from ISE takes longer than that, then the switch will resend. 

This document from a few years ago for preventing radius issues with WLC's also indicates using a timeout value of at least 5 seconds. I would say it is still relevant for this. 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Go to solution
Nadav
Level 7
Level 7
In response to Damien Miller

‎06-08-2018 03:59 AM

It's a good thing you're clearing up that the maximum latency is between nodes and not to the NADs themselves.

Is the 300ms RTT limitation between the nodes a technical limitation? If the RTT is much higher, such as a second, could you describe why the remote PSN would not function correctly?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Nadav

‎06-08-2018 08:09 AM

300 ms RTT between ISE nodes are what vetted by our product teams. We would not suggest to exceed it as the replications might not work properly and as it's not supported.

Go to solution
Nadav
Level 7
Level 7
In response to hslai

‎06-08-2018 10:04 AM

Are there replications between PSNs in remote sites and PAN/MnT nodes which require the same latency guarantees?

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Nadav

‎06-13-2018 06:00 PM

Replication occurs between primary PAN and all secondary nodes.  A secondary node is every other node (Secondary PAN, MNT, PSNs, pxGrid) as they each receive a backup of config.

Here is guidance I provide on latency from BRKSEC-3699...

     Latency guidance is not a “fall off the cliff” number, but a guard rail based on what QA has tested.  Not all customers have issues with > 300ms while others may have issues with < 100ms latency due to overall ISE design and deployment.  Profiler config is primary determinant in replication requirements between PSNs and PAN which translates to latency. When providing guidance, max 300ms roundtrip latency is the correct response from SEs for their customers to design against.

/Craig

Customers Also Viewed These Support Documents