Provider Connectivity Assurance Installation

Prev Next

Provider Connectivity Assurance Installation

This article will help you install Provider Connectivity Assurance.

Deployment Prerequisites

To install Provider Connectivity Assurance, your system must meet the following requirements:

  • Linux operating system
    • We test on RHEL9, Ubuntu 22.04/24.04, and Debian 12
  • x86-64 architecture
  • systemd

Computing Resources

CPU Cores Memory Disk Minimun # Nodes # of Sessions Read IOPS Write IOPS Retention
Lab 32 64GB 750GB 1 Up to 100 10000 IOPS 1000 IOPS N/A
Small 72 128GB 2.5TB 1 Up to 10000 10000 IOPS 1000 IOPS 1 minute data for 3 months

More sizes will be supported in future releases

Ports used by Local Processes

  • 2379/TCP
  • 7443/TCP
  • 9099/TCP
  • 10248/TCP
  • 10257/TCP
  • 10259/TCP

Ports needed for internal exposure

The Admin Console uses port 30000/TCP by default.

Ports Required for Bidirectional Communication Between Nodes

The following ports are used for bidirectional communication between nodes.

For multi-node installations, create firewall openings between nodes for these ports.

For single-node installations, ensure that there are no other processes using these ports. Although there is no communication between nodes in single-node installations, these ports are still required.

  • 2380/TCP
  • 4789/UDP
  • 6443/TCP
  • 9091/TCP
  • 9443/TCP
  • 10249/TCP
  • 10250/TCP
  • 10256/TCP

DNS Configuration

If you are planning on using domain names for your deployment, you must have the following entries configured.

You will need to configure the following domains:

Application Domain name Example
Identity and Access Management auth.{domain} auth.mydomain.com
Tenant {tenant-name}.{domain} pca.mydomain.com
Deployment {deployment-name}.{domain} performance.mydomain.com

When using DNS, only port 443/TCP needs to be externally exposed.

No-DNS Configuration

If you are no using DNS, then applications are accessed via different ports. No-DNS mode only works with IPv4.

Application Port
Identity and Access Management {ip}:3443
Tenant {ip}:443
Deployment {ip}:2443

(Optional) Dual-Stack Linux Infrastructure for IPv6 Support

To utilize IPv6 functionality with Provider Connectivity Assurance, your underlying Linux infrastructure must be configured for dual-stack networking. Single stack IPv6 is not supported.

Also note that if using IPv6, you must also have DNS configured for your host machine. You will be asked to provide the domain name of the server when deploying Provider Connectivity Assurance from the Admin Console. Also note that the Admin Console will have to be accessed via the machine's IPv4 address.

Increase limits for monitoring file system events

Run the following commands on your machines to ensure optimal performance and stability of Provider Connectivity Assurance.

echo "fs.inotify.max_user_watches=100000000" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_user_instances=8192" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_queued_events=16384" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

sudo bash -c 'echo "DefaultLimitNOFILE=unlimited" >> /etc/systemd/system.conf && \
echo -e "* soft nofile unlimited\n* hard nofile unlimited\nroot soft nofile unlimited\nroot hard nofile unlimited" >> /etc/security/limits.conf && echo "All limits set. Please reboot for changes to take full effect."'

## important: Reboot!!
sudo reboot

Getting Started

To start, you must download Provider Connectivity Assurance from the Download Portal. An account must be created for you by Cisco or by a user with an existing account to access the website. You must provide a valid email to access your Download Portal. You may be emailed a temporary access code to continue.

image.png

In the Download Portal, follow the installation guide steps to obtain the tar archive for the provider-connectivity-assurance installation asset.

The first step is to prepare an instance by giving it a name and selecting if the instance will be able to make outbound requests back to our servers directly or if they will require an HTTPS proxy. Choose the appropriate network availability for your installation environment. This selection will alter the installation command shared in the next step to include the instruction on how to setup the HTTPS proxy as appropriate.
image.png

If you are running Provider Connectivity Assurance using IPv6, you must choose a version of the software that is for dual stack. For example, version 25.7.7-1-dual-stack. If you are not IPv6 your version will look like 25.7.7-1.

image.png

Once obtained, extract the installation assets to your machine and install the software using the following command:

sudo ./provider-connectivity-assurance install --license license.yaml

The installation will prompt you to set a password for accessing the Admin Console. Expect this step to take up to 15 minutes.

Example Output

? Set the Admin Console password (minimum 6 characters): ************
? Confirm the Admin Console password: ************
✔  Host files materialized!
✔  Host preflights succeeded!
◒  Waiting for provider-connectivity-assurance node to be ready

Access the Provider Connectivity Assurance Admin Console

Once the provider-connectivity-assurance installation completes, you can access the Admin Console which will be used to further configure your deployment, for future upgrades of the software, and for obtaining support bundles to obtain help with troubleshooting if the need arises. The Admin Console is hosted as a web server on port 30000 of your machine; connect to it via your web browser of choice. It only needs to be accessed internally for users who are managing the deployment and maintenance of the cluster.

image.png

When first setting up the Admin Console, you can optionally create a TLS certificate to secure the communications of the Admin Console. By default, a self-signed certificate is used and connections are always via HTTPS.

On installation, you were asked to configure a password for the Admin Console. This password can be reset using the provider-connectivity-assurance command line utility installed on your machine. Provide this password to access the Admin Console.

image.png

Adding nodes to the Cluster

Provider Connectivity Assurance can be deployed over a cluster of nodes. In order to add more nodes to the cluster, the provider-connectivity-assurance installation assets must be copied to the new nodes. The admin console presents the steps necessary to add the node to the cluster. This is optional and can be done before the first deployment of the Provider Connectivity Assurance software or on a subsequent patching of the deployment.

image.png

Configuring Provider Connectivity Assurance

Follow the steps documented to configure your Provider Connectivity Assurance deployment.
Each configuration option is documented with details on its purpose. Most options have default values, it is recommended to stick with defaults when possible. The IP addresses for the internal and Options can be updated in subsequent deployments.

image.png

Once the deployment begins, a spinner will indicate the deployment is in progress. Expect this process to take approximately 15 minutes.

Pre-flight Checks

Upon deploying your software, your system will undergo a series of pre-flight checks to determine compatibility. These checks should not be ignored as they check for the minimum requirements needed to run Provider Connectivity Assurance in your environment.
If you deploy using an IPv6 address for the host machine but you do not use a version of the deployer that is post-fixed with the label dual-stack in the version, then the pre-flight checks will fail indicating that you must use a dual-stack version of the deployer.

First time login

Once the deployment from the Admin Console is complete, you can login for the first time using the default admin user for the deployment. The username of the default admin user will use the deployment name and domain name entered in the Admin Console configuration.

PCA Version Default Admin Username Password
Prior to 25.7.7-30 {deployment-name}-admin@auth.{domain-name}

For example,
performance-admin@auth.onprem.cisco.internal
ChangeMeA$ap123
After 25.7.7-30 {deployment-name}-admin@auth.{domain-name}

For example,
performance-admin@auth.onprem.cisco.internal
The password is listed in the admin console

You can login using the default admin user to the web UI hosted at:

If your installation was installed with DNS

Web UI
https://{tenant-name}.{domain-name}

If your installation was installed with no DNS

Web UI
https://{external—ip}

Upon first login, you will be asked to change the password of the default admin user.

Accessing the Identity and Access Management UI

Identity and access management in Provider Connectivity Assurance is implemented via Zitadel. The Zitadel UI can be used to create service users for API integration as well as for configuring SSO for the deployment. It is hosted at:
### If your installation was installed with DNS

Zitadel UI
https://auth.{domain-name}

If your installation was installed with no DNS

Zitadel UI
https://{external—ip}:3443