TACACS works on TCP protocol port 49 or any customizable port in ISE. TCP is connection oriented and asynchronous.
So if you are using LB, suggest inline LB option. If not, then you need to find a way to deal with TCP property explained above.
Stickiness can be based on Source IP address ( Network device IP address).
Question: Can I use Anycast?
Anycast is used with UDP since it is connectionless. You can use this probably with HTTP since it is connection less even though the underlying protocol is TCP, may not be suitable to TACACS. It may be suitable for RADIUS.
For eg: if the Anycast instance is broken mid-way for some reason, the network devices need to open a TCP connection to PSN first before sending traffic. That means that there could be a lot of open TCP connections if the routes change. So rate limiting need to be done not to overwhelm PSN’s.
That said, TACACS+ is transactional that means that it opens a TCP connection every time it does a authentication or authorization or accounting, unlike RADIUS where these happen in the same transaction. These transactions are separate.
So this may work depending on how big is configuration request/change from a client machine when accessing CLI on the network device or browsing a UI.
In case of bursty traffic where there is a bunch of requests coming from one or many sources, you typically enable persistence(single connect mode) in TACACS configuration (in ISE Network device config) so that you can use same TCP connection.
However with Anycast, persistence may not be preferred due to the nature of Anycast if routes change.
Here is a resource related to TACACS LB in general is
BRRSEC-3699 – Cisco Live presentation – slide 192
Here is a note on Anycast LB. Note how to LB if ISE PSN is down. I think this is meant for RADIUS
I understand the default setting for AMP4E for servers is without DFC and in audit mode and SP and exploit prevention turned on. How does that provide protection against buffer overflows etc targeted at the server ? A lot of times servers are e...
Recently lost the ability to SSH/ASDM into the active ASA - any suggestions ?CS-FW1/stby/sec# sho run | i sshaaa authentication ssh console LOCALno ssh stricthostkeycheckssh 10.50.0.0 255.255.0.0 insidessh timeout 30ssh key-exchange group dh-group1-sha1!C...
Keep seeing this in the Syslog for my Cisco ASA 5506-X: %ASA-2-106016: Deny IP spoof from (::) to XXXX::X:XXXX:d327 on interface inside_3. Repeats 3 times in a row at what seems to be random intervals. What does this mean? From what I unde...
I was investigating an email slowdown this morning and when I brought up one of our Cloud CES ESA's in a browser it showed that the listener was suspended. I went to the CLI-Log and I can see this: Mon Aug 19 08:14:58 2019 Info: PID 84174: User...
So I have a WSA S380 that does URL filtering and I have done WEB trackings for individual IP addresses from time to time.Management is asking me for an Investigation of a specfic workstation name, to find out the Internet websites that workstationhas visi...