Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1451
Views
20
Helpful
4
Replies

Cisco ISE - High Authentication Latency (Cause ODBC ?)

Go to solution
steffen.bodensohn@heraeus.com
Level 1
Level 1

‎07-06-2022 01:35 AM

Hello,

 

has anybody made the experience that ODBC lookups might lead to "High Authentication Delay" on ISE PSN Nodes ? 

And has anybody a possible solutuion for that potential issue ? 

 

We have an ODBC connection to lookup MAC Addresses for NAC. 

Yesterday we added a second ODBC server and configured an Identity Source Sequence. 

After 1 hour PSN Nodes started to show "High Authentication Latency".

Even TACACS did not work anymore. 

 

After removing second ODBC Server and connection reset on the Loadbalancer ISE is working normal again.

Not sure if TAC Case will lead to any result...

 

Best regards,

Steffen

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
steffen.bodensohn@heraeus.com
Level 1
Level 1

‎07-08-2022 02:10 PM

Thanks to all your answers. 

We investigated further with our partner and can confirm that non-reachable obdc caused the latency issues. We are using ISE 3.0 Patch 5.  

There seems no solution on ISE itself but maybe to put the db behind a loadbalancer might be a feasible solution. 

 

Best regards,

steffen 

View solution in original post

4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-06-2022 04:25 AM

Try to capture the communication between ISE and ODBC to see if the
responses are coming on time or not. This will guide you on where to focus,
i.e. ISE or ODBC. If ISE sends the lookup request but doesn't get timely
response, it will show this error. But first we need to confirm that
requests are sent ontime.

**** please remember to rate useful posts

Go to solution
Marcelo Morais
VIP
VIP

‎07-06-2022 12:49 PM - edited ‎07-06-2022 12:52 PM

Hi steffen.bodensohn@heraeus.com ,

 beyond what @Mohammed al Baqari said ... please at Operations > RADIUS > Live Logs > click Details icon (from any line that use the ODBC Server) and take a look at the Steps Windows for any Step Latency:

 Step.png

 

 

Hope this helps !!!

Go to solution
Arne Bier
VIP
VIP

‎07-07-2022 02:25 PM

Hi steffen.bodensohn@heraeus.com 

 

It's been a while since I used ODBC in ISE - one comment back then from TAC was that when defining the ODBC Identity Sources, you should use IPv4 addresses, and not hostnames. Apparently ISE supports hostnames but it adds latency (and bugs?) so rather put an IP address in that field.

There was also some discussion that the failover didn't work as expected. So if you have some way to front-end the ISE->ODBC connection by using a load balancer, then that might be better than relying on ISE to perform the ODBC failover detection. Load balancer comes with its own fun and games (persistence).

0 Helpful

Go to solution
steffen.bodensohn@heraeus.com
Level 1
Level 1

‎07-08-2022 02:10 PM

Thanks to all your answers. 

We investigated further with our partner and can confirm that non-reachable obdc caused the latency issues. We are using ISE 3.0 Patch 5.  

There seems no solution on ISE itself but maybe to put the db behind a loadbalancer might be a feasible solution. 

 

Best regards,

steffen 

Customers Also Viewed These Support Documents