Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
4
Replies

International Latency

Go to solution
stbrewer
Cisco Employee
Cisco Employee

‎12-04-2017 08:34 AM

Good Morning Experts!

We are currently looking at deploying ISE to our international locations. All AAA requests will come to the London datacenter where a single PSN resides. In the event of a London datacenter outage, we are concerned that the latency will be too high coming back to the U.S.A. Is there a recommendation on latency for AAA functions between clients and the policy nodes?

Along with that, we may be able to mitigate the risk by deploying a second overseas ISE configuration in our Amsterdam location. However, the latency may still be an issue if there is an issue at both locations. No links are using all the bandwidth at this time, but QoS is certainly on the radar.

Overall, we just need to know what the recommended latency is for clients to policy servers. Please see attached for a drawing which may help explain what we're trying to do.

Thank you.

Preview file
541 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-04-2017 08:43 AM

This is part of the HLD process.

For more information see https://communities.cisco.com/docs/DOC-68347

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-04-2017 08:43 AM

This is part of the HLD process.

For more information see https://communities.cisco.com/docs/DOC-68347

0 Helpful

Go to solution
stbrewer
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎12-04-2017 08:45 AM

Found that one already, however it doesn't answer the client to server latency requirements/.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to stbrewer

‎12-04-2017 09:50 AM

Client to server is more forgiving with Dot1x radius and client which is less susceptible to the delays

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎12-05-2017 09:49 PM

To add to Jason's comments, see ISE Latency and Bandwidth Calculators

The primary latency factor is that of the secondary ISE servers (including PSNs) from Primary PAN.  This is measured in ms. Next must consider latency from NADs to PSN, but this is more lenient and timeouts set in seconds.  Client to PSN traffic is limited to web portal /redirect services and now latency is similar to that of other web-based services.  Other service where PSN speaks directly to endpoint is posture (also web-based communication) and Profiling (NMAP/SNMP Query).  These also can tolerate latency measured > sec, but can tune SNMP timeout for probe as needed.

Craig

0 Helpful
Customers Also Viewed These Support Documents