cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

730
Views
0
Helpful
5
Replies
Highlighted
Participant

Cisco ISE - Session failover

Dear All,

Even after creating Node group between PSN's, session failover is not happening. Any help is really appreciated.

5 REPLIES 5
Highlighted
Rising star

Node groups do not enable session failover, for other sessions than the ones that are in the progress of being authenticated when the node down is detected. Don't expect any kind of replication of sessions between psn's. A session that is already authenticated&authorized, will stay that way until someone pulls the cable, or the re-auth timer expires, in which case the switch will detect that the psn is down, and change to the next psn in your radius group.

Highlighted
Cisco Employee

When a Policy Service ISE node that has a few active sessions goes down, the endpoints are stuck in an intermediate state.one of its peers from the node group learns about the active sessions on the failed node and issues a CoA to disconnect those sessions. As a result, restarts and the sessions are handled by another Policy Service ISE node that is available . The session failover does not automatically move the sessions over from a Policy Service ISE node that has gone down to one that is available, but issues a CoA to achieve that.

Highlighted

hi @Venkatesh Attuluri ,

I am planning to have my deployment to be upgraded and i need to minimize the interruption. Technically, the other PSNs will take it over by using CoA but is it transparent from the user's perspective?

Also, is it true that if I change manually the radius authentication order from my primary PSN to my other PSN in my NAD, the users will be disconnected?

Thanks

Highlighted

When you reload a PSN, no COA is sent to the switch. The node goes down silently from the NAD and endpoint perspective. The completed authentication sessions remain as they did while the node was up. New sessions will be sent to the remaining PSN's based on the radius server configuration on the switch (or load balancer).

The second piece, if you change the radius server order on your switch it will not reset the authentication sessions. Any authenticated sessions remain untouched, new sessions and accounting updates will leverage the new primary server when the switch goes to send them. Alternatively, if you leave your radius server config untouched, take down the primary node for that switch, the NAD will have to detect that the PSN is down, either via automated tester or radius timeouts.
Highlighted

Hi @Damien Miller ,

 

Thanks for the feedback.

 

Sorry but regarding the second concern, is that tested that if I change the radius server order of my NAD the authenticated user sessions will not be dropped? I just want to confirm because I have mix answers roaming around here in the community and even TAC.

 

Thank a lot.