Solved: Re: Should we use Accounting Interim updates or not?

ajc · ‎03-16-2023

I have seen a huge amount of accouting interim update messages hitting our ISE deployment, I know the reason of that so I am planning to extend the interval up to 8 hours following a recomendation from Cisco BU since that our deployment is experiencing a high load. In addition to that ACTIVE SESSION on Primary PAN Dashboard is not accurate at all no matter if you use or not those acct interim update messages, the API Call ACTIVELIST is the one that gives you the right number as it was also indicated by TAC and tested by myself. So my question for the group would be, does it actually make sense to have enabled acct interim updates? (btw we use meraki and you cannot disable it unless you are running 29.5.1 version, only thing you can do is extend the acct interim interval).

Rodrigo Diaz · ‎03-17-2023

hello @ajc as it's mentioned here the Radius accounting can be set to send updates once a day or every 2 days ( depends on the NAD you use ) the key here is to review what kind of endpoints are using it and the behavior that they are going to have within the network , as it's accounting, the purpose of this interim accounting packets is to provide if there has been any change related to DHCP_TLVs, HTTP_TLVs, IP, or ROAM , that are relevant to the establishment of a possible CoA and profiling if applied.

Let me know if that helped you .

View solution in original post

davidgfriedman · ‎03-17-2023

We had the same problem. Someone before me had setup all switches with interim updates times of 20 minutes. It was slamming all of our ISE cubes. We have 8 cubes of varying sizes. For one ISE cube's related switches (NADs), we changed the interim updates from 20 minutes to 1440 minutes ( 1 day ). I prefer that over the recommended 2 day setting (2880). As soon as I did that, the system alerts (and related e-mails coming to me) about Profiler Queue Size Limit Reached or Profiler SNMP Request Failure stopped.. I have a few more environments to assess (both live and in our automated build system) on this topic, to help improve overall ISE cube (cluster) performance.

Regards,
David

ajc · ‎03-17-2023

Thanks david, I wanted to get feedback from more users.

Just to let you know, Meraki AP's does not allow you to configure more than 546 minutes as Acct Interim interval therefore I am exploring a plan to have each SSID with a different interval and those acct upd messages to be sent close to end of working hours or when traffic is expected to be minimum with 1 hour separation between each SSID.

Rodrigo Diaz · ‎03-17-2023

hello @ajc as it's mentioned here the Radius accounting can be set to send updates once a day or every 2 days ( depends on the NAD you use ) the key here is to review what kind of endpoints are using it and the behavior that they are going to have within the network , as it's accounting, the purpose of this interim accounting packets is to provide if there has been any change related to DHCP_TLVs, HTTP_TLVs, IP, or ROAM , that are relevant to the establishment of a possible CoA and profiling if applied.

Let me know if that helped you .

ajc · ‎03-17-2023

Thanks, another detail to keep in mind is that I use F5 load balancer so our PERSISTENCE session configured value has to be higher than the acct interim update interval.