cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4140
Views
0
Helpful
3
Replies
Beginner

5440 Endpoint abandoned EAP session and started new through Load Balanacer

We are using a netscaller to load balance radius requests to our PSNs nodes for 802.1x.  When I go from a cisco switch directly to the PSN nodes it works fine.  When we try to pass it through the LB we get the "5440 Endpoint abandoned EAP session and started new" error.  We are doing EAP-TLS with certificates.

1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: 5440 Endpoint abandoned EAP session and started new through Load Balanacer

The issue suggests that you do not have persistence configured properly on the Netscaler LB.  See Cisco Live session BRKSEC-3699 (reference version) posted to ciscolive.com (requires one-time free registration) for additional details on persistence as well as Citrix examples.  Direct link:

https://www.ciscolive.com/global/on-demand-library/?search=brksec-3699&search.event=ciscoliveus2018#/session/1511296160606001Af1J

 

This is an example based on Calling Station ID:

add lb vserver radius-auth RADIUS 172.16.0.16 1812 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
add lb vserver radius-acct RADIUS 172.16.0.16 1813 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
set lb group RADIUS-Calling-Station-ID -persistenceType RULE -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)

 

Craig

3 REPLIES 3
Advocate

Re: 5440 Endpoint abandoned EAP session and started new through Load Balanacer

The issue suggests that you do not have persistence configured properly on the Netscaler LB.  See Cisco Live session BRKSEC-3699 (reference version) posted to ciscolive.com (requires one-time free registration) for additional details on persistence as well as Citrix examples.  Direct link:

https://www.ciscolive.com/global/on-demand-library/?search=brksec-3699&search.event=ciscoliveus2018#/session/1511296160606001Af1J

 

This is an example based on Calling Station ID:

add lb vserver radius-auth RADIUS 172.16.0.16 1812 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
add lb vserver radius-acct RADIUS 172.16.0.16 1813 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" -cltTimeout 120
set lb group RADIUS-Calling-Station-ID -persistenceType RULE -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)

 

Craig

Beginner

Re: 5440 Endpoint abandoned EAP session and started new through Load Balanacer

What should we have the connection type and settings set to?

Advocate

Re: 5440 Endpoint abandoned EAP session and started new through Load Balanacer

I would start with Least Connections and see if that shows even distribution of ISE sessions.  https://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-customizing-algorithms/leastconnection-method.html