Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1174
Views
10
Helpful
3
Replies

Enable Single Connect Mode option in TACACS ISE

Go to solution
paheeradan.nagulan
Level 1
Level 1

‎08-09-2022 06:02 AM

Gentlemen,

I was reading about Cisco ISE and happened to come across the term "Enable Single Connect Mode". I understand by selecting this option, Cisco ISE will minimize the number of TCP connections opened for duplicate transactions and retain the connection for AAA transactions. What is the drawback of enabling this option instead of "Legacy" mode for a network node in ISE?

Preview file
12 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-09-2022 06:08 AM

@paheeradan.nagulan as per the Cisco Device Administration guide. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

Note: IPv4 and IPv6 supports Single connect Mode connection. Optionally you can enable Single Connect Mode with TACACS+ Draft Compliance Single Connect support option if you have chatty Network devices. The TCP connection for Single mode connections is not disconnected for every single Transactions and would ensure reliability but it is very resource intensive. Use it with caution only on certain Network devices.

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-09-2022 06:13 AM

As you noticed the Defaul is Legacy, that is Cisco recomment,.

as you rightly said single connection mode is more of chatty devices in the network and also ISE should agreed based on the frst handshake

For chatty devices that sends traffic bursts, ISE has a TACACS+ feature called “single connect mode” that retains the TCP connection instead of tearing it immediately, however you need to make sure to keep track of the number of sessions not to overwhelm ISE with too many open connections.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-09-2022 06:08 AM

@paheeradan.nagulan as per the Cisco Device Administration guide. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

Note: IPv4 and IPv6 supports Single connect Mode connection. Optionally you can enable Single Connect Mode with TACACS+ Draft Compliance Single Connect support option if you have chatty Network devices. The TCP connection for Single mode connections is not disconnected for every single Transactions and would ensure reliability but it is very resource intensive. Use it with caution only on certain Network devices.

Go to solution
paheeradan.nagulan
Level 1
Level 1
In response to Rob Ingram

‎08-09-2022 06:38 AM

Thanks for the explanation. Appreciate it.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-09-2022 06:13 AM

As you noticed the Defaul is Legacy, that is Cisco recomment,.

as you rightly said single connection mode is more of chatty devices in the network and also ISE should agreed based on the frst handshake

For chatty devices that sends traffic bursts, ISE has a TACACS+ feature called “single connect mode” that retains the TCP connection instead of tearing it immediately, however you need to make sure to keep track of the number of sessions not to overwhelm ISE with too many open connections.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card