https://community.cisco.com/t5/network-access-control/loadbalanced-ise-sharing-persistence-for-radius-auth-acct-vips/m-p/3989393#M455422 <P>"Persistency Groups" on the Netscaler look to be the equivalent of F5's "match across services" (used in cisco's ISE and F5 documentation) for persistence sharing between VIPs.</P><P>&nbsp;</P><P>I tested this on the Netscaler by:</P><UL><LI>Created a Persistency Group under <STRONG>Traffic Management &gt; Load Balancing &gt; Persistency Group</STRONG></LI><LI>Added persistence settings to the group:<BR />Rule - CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(4)</LI><LI>Added the ISE RADIUS authentication and accounting VIPs to the Persistency Group.</LI></UL><P>&nbsp;</P><P>This seems to have solved the issue and now RADIUS authentication and accounting traffic are sent to the same psn for a given Calling-Station-Id.</P><P>&nbsp;</P><P>Cheers<BR />Andy</P><P>&nbsp;</P><P>ps to check the persistency group is working as expected on the Netscaler I used the command "<STRONG>show lb persistentSessions &lt;NAME_OF_PERSISTENCY_GROUP&gt;</STRONG>" - this displays the Calling-Station-Ids and the mapped psn used for both RADIUS authentication and accounting</P> Tue, 26 Nov 2019 10:20:47 GMT andrewswanson 2019-11-26T10:20:47Z https://community.cisco.com/t5/network-access-control/loadbalanced-ise-sharing-persistence-for-radius-auth-acct-vips/m-p/3988855#M455421 <P>Hi</P><P>&nbsp;</P><P>I have ISE PSNs loadbalanced with a Citrix MPX - there are 2 VIPs (same IP) for RADIUS authentication and accounting. These VIPs have the same peristence rules (calling-id with a backup of nas-ip).</P><P>&nbsp;</P><P>I've noticed the following syslog messages in ISE RADIUS accounting for some clients:</P><P>&nbsp;</P><P><STRONG>Audit session was not found</STRONG><BR /><STRONG>Accounting start was received for non-existing session</STRONG></P><P>&nbsp;</P><P>I thought this may have something to do with some clients authenticating against one psn and the accounting traffic being sent to another. I confirmed this by modifying a NAD switch to use a particular PSN IP rather than the loadbalanced VIP for RADIUS. With this config in place, there were no more syslogs like the ones above.</P><P>&nbsp;</P><P>I'm looking at the netscaler documentation below to share persistent sessions between the 2 RADIUS auth/acct VIPs so that a client's auth/acct traffic always hits the same psn for both services.</P><P>&nbsp;</P><P><A href="https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-persistence/sharing-persistent-sessions.html" target="_blank">https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-persistence/sharing-persistent-sessions.html</A></P><P>&nbsp;</P><P>Has anyone else come across this issue and, if so, am I on the right track?</P><P>&nbsp;</P><P>Thanks<BR />Andy</P> Mon, 25 Nov 2019 12:30:12 GMT https://community.cisco.com/t5/network-access-control/loadbalanced-ise-sharing-persistence-for-radius-auth-acct-vips/m-p/3988855#M455421 andrewswanson 2019-11-25T12:30:12Z https://community.cisco.com/t5/network-access-control/loadbalanced-ise-sharing-persistence-for-radius-auth-acct-vips/m-p/3989393#M455422 <P>"Persistency Groups" on the Netscaler look to be the equivalent of F5's "match across services" (used in cisco's ISE and F5 documentation) for persistence sharing between VIPs.</P><P>&nbsp;</P><P>I tested this on the Netscaler by:</P><UL><LI>Created a Persistency Group under <STRONG>Traffic Management &gt; Load Balancing &gt; Persistency Group</STRONG></LI><LI>Added persistence settings to the group:<BR />Rule - CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(4)</LI><LI>Added the ISE RADIUS authentication and accounting VIPs to the Persistency Group.</LI></UL><P>&nbsp;</P><P>This seems to have solved the issue and now RADIUS authentication and accounting traffic are sent to the same psn for a given Calling-Station-Id.</P><P>&nbsp;</P><P>Cheers<BR />Andy</P><P>&nbsp;</P><P>ps to check the persistency group is working as expected on the Netscaler I used the command "<STRONG>show lb persistentSessions &lt;NAME_OF_PERSISTENCY_GROUP&gt;</STRONG>" - this displays the Calling-Station-Ids and the mapped psn used for both RADIUS authentication and accounting</P> Tue, 26 Nov 2019 10:20:47 GMT https://community.cisco.com/t5/network-access-control/loadbalanced-ise-sharing-persistence-for-radius-auth-acct-vips/m-p/3989393#M455422 andrewswanson 2019-11-26T10:20:47Z