Provider Connectivity Assurance Installation

Prev Next

This article will help you install Provider Connectivity Assurance.

Deployment Prerequisites

To install Provider Connectivity Assurance, your system must meet the following requirements:

  • Linux operating system
    • We test on RHEL9, Ubuntu 22.04/24.04, and Debian 12
  • x86-64 architecture
  • systemd

Computing Resources

CPU Cores Memory Disk Minimun # Nodes # of Sessions Read IOPS Write IOPS Retention
Lab 32 64GB 750GB 1 Up to 100 10000 IOPS 1000 IOPS N/A
Small 72 128GB 2.5TB 1 Up to 10000 10000 IOPS 1000 IOPS 1 minute data for 3 months

Ports Used by Local Processes

  • 2379/TCP
  • 7443/TCP
  • 9099/TCP
  • 10248/TCP
  • 10257/TCP
  • 10259/TCP

Ports Required for Internal Exposure

By default, the Admin Console uses port 30000/TCP.

Ports Required for Bidirectional Communication Between Nodes

The following ports enable bidirectional communication between nodes.

Note: For multi-node installations, create firewall openings between nodes for these ports. For single-node installations, ensure that no other processes using these ports. Although there is no communication between nodes in single-node installations, these ports are still required.

  • 2380/TCP
  • 4789/UDP
  • 6443/TCP
  • 9091/TCP
  • 9443/TCP
  • 10249/TCP
  • 10250/TCP
  • 10256/TCP

External URL Access

The following URLs need to be accessible for installing Provider Connectivity Assurance:

  • proxy-registry.pca.cisco.com
  • update.pca.cisco.com

DNS Configuration

If you are planning on using domain names for your deployment, you must have the following entries configured:

Application Domain Name Example
Identity and Access Management auth.{domain} auth.mydomain.com
Tenant {tenant-name}.{domain} pca.mydomain.com
Deployment {deployment-name}.{domain} performance.mydomain.com

When using DNS, only port 443/TCP needs to be externally exposed.

No-DNS Configuration

If you are not using DNS, then applications are accessed via different ports. No-DNS mode only works with IPv4.

If DNS is not used, applications must be accessed through different ports. Note that No-DNS mode only supports IPv4.

Application Port
Identity and Access Management {ip}:3443
Tenant {ip}:443
Deployment {ip}:2443

(Optional) Dual-Stack Linux Infrastructure for IPv6 Support

To utilize IPv6 functionality with Provider Connectivity Assurance, your underlying Linux infrastructure must be configured for dual-stack networking. Single stack IPv6 is not supported.

Also note that if using IPv6, you must have DNS configured for your host machine. You will be asked to provide the server's domain name when deploying Provider Connectivity Assurance from the Admin Console. The Admin Console will have to be accessed via the machine's IPv4 address.

Increase Limits for Monitoring File System Events

Run the following commands on your machines to ensure optimal performance and stability for Provider Connectivity Assurance.

echo "fs.inotify.max_user_watches=100000000" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_user_instances=8192" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_queued_events=16384" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

sudo bash -c 'echo "DefaultLimitNOFILE=unlimited" >> /etc/systemd/system.conf && \
echo -e "* soft nofile unlimited\n* hard nofile unlimited\nroot soft nofile unlimited\nroot hard nofile unlimited" >> /etc/security/limits.conf && echo "All limits set. Please reboot for changes to take full effect."'

## important: Reboot!!
sudo reboot

Getting Started

To begin, you must download Provider Connectivity Assurance from the Download Portal. To access the website, an account must be created for you by Cisco or by a user with an existing account.

You must provide a valid email to access your Download Portal. You may be emailed a temporary access code to continue.

image.png

In the Download Portal, follow the Installation Guide to obtain the tar archive for the provider-connectivity-assurance installation asset.

The first step is to prepare an instance by giving it a name and selecting if the instance will be able to make outbound requests back to our servers directly or if they will require an HTTPS proxy.

Choose the appropriate network availability for your installation environment. This selection will modify the installation command provided in the next step to include the appropriate instructions for configuring the HTTPS proxy.
image.png

If you are running Provider Connectivity Assurance using IPv6, you must choose a version of the software that is for dual stack. For example, version 25.7.7-1-dual-stack. If you are not using IPv6, your version will look like 25.7.7-1.

image.png

Once obtained, extract the installation assets to your machine and install the software using the following command:

sudo ./provider-connectivity-assurance install --license license.yaml

The installation will prompt you to set a password for accessing the Admin Console.

Note: This step can take up to 15 minutes.

Example Output

? Set the Admin Console password (minimum 6 characters): ************
? Confirm the Admin Console password: ************
✔  Host files materialized!
✔  Host preflights succeeded!
◒  Waiting for provider-connectivity-assurance node to be ready

Access the Provider Connectivity Assurance Admin Console

Once the provider-connectivity-assurance installation is complete, you can access the Admin Console. This will be used to further configure your deployment, for future upgrades of the software, and for obtaining support bundles to get help with troubleshooting, if needed.

The Admin Console is hosted as a web server on port 30000 of your machine; connect to it via your web browser of choice. It only needs to be accessed internally for users who are managing the cluster's deployment and maintenance.

image.png

When first setting up the Admin Console, you can optionally create a TLS certificate to secure the communications of the Admin Console. By default, a self-signed certificate is used and connections are always via HTTPS.

Upon installation, you were asked to configure a password for the Admin Console. Provide this password to access the Admin Console.

Note: This password can be reset using the provider-connectivity-assurance command line utility installed on your machine.

image.png

Adding Nodes to the Cluster

Provider Connectivity Assurance can be deployed over a cluster of nodes. In order to add more nodes to the cluster, the provider-connectivity-assurance installation assets must be copied to the new nodes. The Admin Console presents the necessary steps to add the node to the cluster.

Note: This is optional and can be completed before the first deployment of the Provider Connectivity Assurance software or on a subsequent patching of the deployment.

image.png

Configuring Provider Connectivity Assurance

Follow the steps below to configure your Provider Connectivity Assurance deployment. Each configuration option is documented with details on its purpose. Most options have default values, and it is recommended to stick with defaults when possible.

image.png

Once the deployment begins, a spinner will indicate that it is in progress.

Note: This process takes approximately 15 minutes.

Pre-Flight Checks

Upon deploying your software, your system will undergo a series of pre-flight checks to determine compatibility. These checks should not be ignored because they check for the minimum requirements needed to run Provider Connectivity Assurance in your environment.

If you deploy using an IPv6 address for the host machine but you do not use a version of the deployer that is post-fixed with the label dual-stack in the version, the pre-flight checks will fail, indicating that you must use a dual-stack version of the deployer.

First Time Login

Once the deployment from the Admin Console is complete, you can log in for the first time using the default admin user for the deployment.

Note: The default admin user's username will come from the deployment name and domain name entered in the Admin Console configuration.

PCA Version Default Admin Username Password
25.07 CA {deployment-name}-admin@auth.{domain-name}

For example:
performance-admin@auth.onprem.cisco.internal
The password is listed in the Admin Console.

As the default admin user, you can log in to the web UI hosted at:

If your installation was installed with DNS

Web UI
https://{tenant-name}.{domain-name}

If your installation was installed with no DNS

Web UI
https://{external—ip}

Note: On first login, you will be asked to change the default admin user's password.

Accessing the Identity and Access Management UI

Identity and access management in Provider Connectivity Assurance is implemented via Zitadel. The Zitadel UI can be used to create service users for API integration as well as for configuring SSO for the deployment.

It is hosted at:

If your installation was installed with DNS

Zitadel UI
https://auth.{domain-name}

If your installation was installed with no DNS

Zitadel UI
https://{external—ip}:3443