Provider Connectivity Assurance Installation
This article will help you install Provider Connectivity Assurance.
Deployment Prerequisites
To install Provider Connectivity Assurance, your system must meet the following requirements:
- Linux operating system
- We test on RHEL9, Ubuntu 22.04/24.04, and Debian 12
- x86-64 architecture
- systemd
Computing Resources
| CPU Cores | Memory | Disk | Minimun # Nodes | # of Sessions | Read IOPS | Write IOPS | Retention | |
|---|---|---|---|---|---|---|---|---|
| Lab | 32 | 64GB | 750GB | 1 | Up to 100 | 10000 IOPS | 1000 IOPS | N/A |
| Small | 72 | 128GB | 2.5TB | 1 | Up to 10000 | 10000 IOPS | 1000 IOPS | 1 minute data for 3 months |
More sizes will be supported in future releases
Ports used by Local Processes
- 2379/TCP
- 7443/TCP
- 9099/TCP
- 10248/TCP
- 10257/TCP
- 10259/TCP
Ports needed for internal exposure
The Admin Console uses port 30000/TCP by default.
Ports Required for Bidirectional Communication Between Nodes
The following ports are used for bidirectional communication between nodes.
For multi-node installations, create firewall openings between nodes for these ports.
For single-node installations, ensure that there are no other processes using these ports. Although there is no communication between nodes in single-node installations, these ports are still required.
- 2380/TCP
- 4789/UDP
- 6443/TCP
- 9091/TCP
- 9443/TCP
- 10249/TCP
- 10250/TCP
- 10256/TCP
DNS Configuration
If you are planning on using domain names for your deployment, you must have the following entries configured.
You will need to configure the following domains:
| Application | Domain name | Example |
|---|---|---|
| Identity and Access Management | auth.{domain} | auth.mydomain.com |
| Tenant | {tenant-name}.{domain} | pca.mydomain.com |
| Deployment | {deployment-name}.{domain} | performance.mydomain.com |
When using DNS, only port 443/TCP needs to be externally exposed.
No-DNS Configuration
If you are no using DNS, then applications are accessed via different ports. No-DNS mode only works with IPv4.
| Application | Port |
|---|---|
| Identity and Access Management | {ip}:3443 |
| Tenant | {ip}:443 |
| Deployment | {ip}:2443 |
(Optional) Dual-Stack Linux Infrastructure for IPv6 Support
To utilize IPv6 functionality with Provider Connectivity Assurance, your underlying Linux infrastructure must be configured for dual-stack networking. Single stack IPv6 is not supported.
Also note that if using IPv6, you must also have DNS configured for your host machine. You will be asked to provide the domain name of the server when deploying Provider Connectivity Assurance from the Admin Console. Also note that the Admin Console will have to be accessed via the machine's IPv4 address.
Increase limits for monitoring file system events
Run the following commands on your machines to ensure optimal performance and stability of Provider Connectivity Assurance.
echo "fs.inotify.max_user_watches=100000000" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_user_instances=8192" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_queued_events=16384" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo bash -c 'echo "DefaultLimitNOFILE=unlimited" >> /etc/systemd/system.conf && \
echo -e "* soft nofile unlimited\n* hard nofile unlimited\nroot soft nofile unlimited\nroot hard nofile unlimited" >> /etc/security/limits.conf && echo "All limits set. Please reboot for changes to take full effect."'
## important: Reboot!!
sudo reboot
Getting Started
To start, you must download Provider Connectivity Assurance from the Download Portal. An account must be created for you by Cisco or by a user with an existing account to access the website. You must provide a valid email to access your Download Portal. You may be emailed a temporary access code to continue.
In the Download Portal, follow the installation guide steps to obtain the tar archive for the provider-connectivity-assurance installation asset.
The first step is to prepare an instance by giving it a name and selecting if the instance will be able to make outbound requests back to our servers directly or if they will require an HTTPS proxy. Choose the appropriate network availability for your installation environment. This selection will alter the installation command shared in the next step to include the instruction on how to setup the HTTPS proxy as appropriate.
If you are running Provider Connectivity Assurance using IPv6, you must choose a version of the software that is for dual stack. For example, version 25.7.7-1-dual-stack. If you are not IPv6 your version will look like 25.7.7-1.
Once obtained, extract the installation assets to your machine and install the software using the following command:
sudo ./provider-connectivity-assurance install --license license.yaml
The installation will prompt you to set a password for accessing the Admin Console. Expect this step to take up to 15 minutes.
Example Output
? Set the Admin Console password (minimum 6 characters): ************
? Confirm the Admin Console password: ************
✔ Host files materialized!
✔ Host preflights succeeded!
◒ Waiting for provider-connectivity-assurance node to be ready
Access the Provider Connectivity Assurance Admin Console
Once the provider-connectivity-assurance installation completes, you can access the Admin Console which will be used to further configure your deployment, for future upgrades of the software, and for obtaining support bundles to obtain help with troubleshooting if the need arises. The Admin Console is hosted as a web server on port 30000 of your machine; connect to it via your web browser of choice. It only needs to be accessed internally for users who are managing the deployment and maintenance of the cluster.
When first setting up the Admin Console, you can optionally create a TLS certificate to secure the communications of the Admin Console. By default, a self-signed certificate is used and connections are always via HTTPS.
On installation, you were asked to configure a password for the Admin Console. This password can be reset using the provider-connectivity-assurance command line utility installed on your machine. Provide this password to access the Admin Console.
Adding nodes to the Cluster
Provider Connectivity Assurance can be deployed over a cluster of nodes. In order to add more nodes to the cluster, the provider-connectivity-assurance installation assets must be copied to the new nodes. The admin console presents the steps necessary to add the node to the cluster. This is optional and can be done before the first deployment of the Provider Connectivity Assurance software or on a subsequent patching of the deployment.
Configuring Provider Connectivity Assurance
Follow the steps documented to configure your Provider Connectivity Assurance deployment.
Each configuration option is documented with details on its purpose. Most options have default values, it is recommended to stick with defaults when possible. The IP addresses for the internal and Options can be updated in subsequent deployments.
Once the deployment begins, a spinner will indicate the deployment is in progress. Expect this process to take approximately 15 minutes.
Pre-flight Checks
Upon deploying your software, your system will undergo a series of pre-flight checks to determine compatibility. These checks should not be ignored as they check for the minimum requirements needed to run Provider Connectivity Assurance in your environment.
If you deploy using an IPv6 address for the host machine but you do not use a version of the deployer that is post-fixed with the label dual-stack in the version, then the pre-flight checks will fail indicating that you must use a dual-stack version of the deployer.
First time login
Once the deployment from the Admin Console is complete, you can login for the first time using the default admin user for the deployment. The username of the default admin user will use the deployment name and domain name entered in the Admin Console configuration.
| PCA Version | Default Admin Username | Password |
|---|---|---|
| Prior to 25.7.7-30 | {deployment-name}-admin@auth.{domain-name} For example, performance-admin@auth.onprem.cisco.internal |
ChangeMeA$ap123 |
| After 25.7.7-30 | {deployment-name}-admin@auth.{domain-name} For example, performance-admin@auth.onprem.cisco.internal |
The password is listed in the admin console |
You can login using the default admin user to the web UI hosted at:
If your installation was installed with DNS
| Web UI |
|---|
| https://{tenant-name}.{domain-name} |
If your installation was installed with no DNS
| Web UI |
|---|
| https://{external—ip} |
Upon first login, you will be asked to change the password of the default admin user.
Accessing the Identity and Access Management UI
Identity and access management in Provider Connectivity Assurance is implemented via Zitadel. The Zitadel UI can be used to create service users for API integration as well as for configuring SSO for the deployment. It is hosted at:
### If your installation was installed with DNS
| Zitadel UI |
|---|
| https://auth.{domain-name} |
If your installation was installed with no DNS
| Zitadel UI |
|---|
| https://{external—ip}:3443 |