Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Prasan Venky

Cisco ISE - Session failover

Dear All,

Even after creating Node group between PSN's, session failover is not happening. Any help is really appreciated.

Rising star

Node groups do not enable session failover, for other sessions than the ones that are in the progress of being authenticated when the node down is detected. Don't expect any kind of replication of sessions between psn's. A session that is already authenticated&authorized, will stay that way until someone pulls the cable, or the re-auth timer expires, in which case the switch will detect that the psn is down, and change to the next psn in your radius group.

Venkatesh Attuluri
Cisco Employee

When a Policy Service ISE node that has a few active sessions goes down, the endpoints are stuck in an intermediate of its peers from the node group learns about the active sessions on the failed node and issues a CoA to disconnect those sessions. As a result, restarts and the sessions are handled by another Policy Service ISE node that is available . The session failover does not automatically move the sessions over from a Policy Service ISE node that has gone down to one that is available, but issues a CoA to achieve that.

hi @Venkatesh Attuluri ,

I am planning to have my deployment to be upgraded and i need to minimize the interruption. Technically, the other PSNs will take it over by using CoA but is it transparent from the user's perspective?

Also, is it true that if I change manually the radius authentication order from my primary PSN to my other PSN in my NAD, the users will be disconnected?


When you reload a PSN, no COA is sent to the switch. The node goes down silently from the NAD and endpoint perspective. The completed authentication sessions remain as they did while the node was up. New sessions will be sent to the remaining PSN's based on the radius server configuration on the switch (or load balancer).

The second piece, if you change the radius server order on your switch it will not reset the authentication sessions. Any authenticated sessions remain untouched, new sessions and accounting updates will leverage the new primary server when the switch goes to send them. Alternatively, if you leave your radius server config untouched, take down the primary node for that switch, the NAD will have to detect that the PSN is down, either via automated tester or radius timeouts.

Hi @Damien Miller ,


Thanks for the feedback.


Sorry but regarding the second concern, is that tested that if I change the radius server order of my NAD the authenticated user sessions will not be dropped? I just want to confirm because I have mix answers roaming around here in the community and even TAC.


Thank a lot.

Content for Community-Ad