Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1309
Views
3
Helpful
3
Replies

Persistence of failed endpoints/abandoned eap session between PSNs of the same Node group

umahar
Cisco Employee
Cisco Employee

‎03-03-2017 07:11 AM

We are doing some testing with F5 and PSNs.

Endpoint is abandoning eap sessions on one PSNs.

We clear the endpoint sessions on ISE Live sessions and also the persistence record on the PSN.

The F5 now sends the radius requests to the second on the same node group.

It seems that there is some stale entry on the PSNs in the same node group and the new PSN is rejecting this new radius request thinking that it already has a session.

3 Replies 3

umahar
Cisco Employee
Cisco Employee

‎03-03-2017 07:44 AM

We are seeing this error on the second PSN

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎03-06-2017 09:58 AM

Please ensure the sessions also cleared on the NAD. Then, enable the debug as recommended in the resolution. It would also help to perform packet captures.

When a new RADIUS auth request comes into ISE, it has no Class attribute. Once ISE processes it, it gives Class attribute in the response and then NAD will use it subsequently as a means to tell ISE to continue with the same conversation. If ISE receives a RADIUS request with Class attribute but it does not have the session, it would respond with this error.

ISE node groups are used for the sessions in pending state (e.g. CWA or Posture) and ISE profiling. They have no influence on this matter.

0 Helpful

sofitapaul
Level 1
Level 1
In response to hslai

‎03-08-2017 10:34 PM

This is perfect, thanks for your post. @hslai

Customers Also Viewed These Support Documents