cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

101
Views
0
Helpful
2
Replies
Enthusiast

CTS PAC provisioning and loadbalancer persistence

Hi

 

I'm looking to deploy TrustSec to a number of 3650 stacks running 16.6.6

 

The production ISE psns are behind a Netscaler MPX. I tested my config with a dev ISE box that wasn't loadbalanced and all looked to be ok.

When I treed to provision cts pac with the loadbalanced ISE, I was getting the following errors in the ISE logs.


11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist


Some threads on the forum suggested this could be a loadbalancer persistence issue - I changed a switch to use a psn IP address rather the loadbalnced VIP and sure enough cts provisioning worked and the switch could download the cts environment data.

 

The loadbalanced production ISE VIP has the following rule for persistence with no backup method specified:

 

CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(8)

 

What backup persistence method should be used to facilitate cts pac provisioning through the loadbalancer?

 

Thanks
Andy

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: CTS PAC provisioning and loadbalancer persistence

I have posted about this in the past. I have done pac provisioning with Citrix and F5's leveraging similar many times so I do know it works.

What I suggested for citrix.
"-rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(4)""
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/m-p/3694180/highlight/true#M16975

View solution in original post

2 REPLIES 2
VIP Advocate

Re: CTS PAC provisioning and loadbalancer persistence

I have posted about this in the past. I have done pac provisioning with Citrix and F5's leveraging similar many times so I do know it works.

What I suggested for citrix.
"-rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(4)""
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/m-p/3694180/highlight/true#M16975

View solution in original post

Enthusiast

Re: CTS PAC provisioning and loadbalancer persistence

Thanks a lot Damien - sometimes I'm too quick to post on the forum rather than search it!

 

I had changed the backup persistence to source IP and pac provisioning worked ok through the loadbalncer. I'll look at implementing your single rule for this.

 

Thanks again

Andy