This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Node groups do not enable session failover, for other sessions than the ones that are in the progress of being authenticated when the node down is detected. Don't expect any kind of replication of sessions between psn's. A session that is already authenticated&authorized, will stay that way until someone pulls the cable, or the re-auth timer expires, in which case the switch will detect that the psn is down, and change to the next psn in your radius group.
When a Policy Service ISE node that has a few active sessions goes down, the endpoints are stuck in an intermediate state.one of its peers from the node group learns about the active sessions on the failed node and issues a CoA to disconnect those sessions. As a result, restarts and the sessions are handled by another Policy Service ISE node that is available . The session failover does not automatically move the sessions over from a Policy Service ISE node that has gone down to one that is available, but issues a CoA to achieve that.
hi @Venkatesh Attuluri ,
I am planning to have my deployment to be upgraded and i need to minimize the interruption. Technically, the other PSNs will take it over by using CoA but is it transparent from the user's perspective?
Also, is it true that if I change manually the radius authentication order from my primary PSN to my other PSN in my NAD, the users will be disconnected?
Hi @Damien Miller ,
Thanks for the feedback.
Sorry but regarding the second concern, is that tested that if I change the radius server order of my NAD the authenticated user sessions will not be dropped? I just want to confirm because I have mix answers roaming around here in the community and even TAC.
Thank a lot.