Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2589
Views
0
Helpful
1
Replies

CoA Session Context not found with Citrix Netscaler and ISE

Go to solution
Wacfteiner
Level 1
Level 1

‎04-07-2021 12:18 PM

We have a 7 node deployment which consists of a PA/SA, PM/SM, 3 PSNs. 

ISE 2.7 patch 3

All nodes are size medium in a Nutanix environment

 

We first tried to manually define each switch to manually load balance our PSNs by defining only two PSNs on each switch and mixing it up evenly by device load. This did not prove efficient so we moved to a citrix Netscaler for load balancing.

 

We are consistently seeing CoA Session Context not found errors. I have worked extensively with TAC and collected logs and packet captures at the PSNs. Tac is confident this is an issue with the netscaler but this isnt Ciscos preferred netscaler.

 

Does anyone have some guidance to provide to make sure we are doing this properly?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
craig.beck
Level 1
Level 1

‎04-08-2021 06:59 AM

The PSN will send a CoA packet from source-port 1700 which needs to be source-NAT'ed through the NetScaler to the VIP address. I suspect the CoA packet is coming from the real PSN address.

 

As an example, if you have 1 RADIUS server defined on the switch because you have 1 VIP, like this:

 

radius server PSN-VIP
 address ipv4 10.10.10.1 auth-port 1812 acct-port 1813
 key presharedkey
!
aaa group server radius RADIUS-VIP
 server name PSN-VIP
!
aaa server radius dynamic-author
 client 10.10.10.1 server-key 0 presharedkey

...you list the VIP address as a dynamic author client, and CoA should work if you SNAT traffic from PSNs on port 1700.

 

Can you show us your switch config, please, if it is different to the above?

View solution in original post

0 Helpful
1 Reply 1

Go to solution
craig.beck
Level 1
Level 1

‎04-08-2021 06:59 AM

The PSN will send a CoA packet from source-port 1700 which needs to be source-NAT'ed through the NetScaler to the VIP address. I suspect the CoA packet is coming from the real PSN address.

 

As an example, if you have 1 RADIUS server defined on the switch because you have 1 VIP, like this:

 

radius server PSN-VIP
 address ipv4 10.10.10.1 auth-port 1812 acct-port 1813
 key presharedkey
!
aaa group server radius RADIUS-VIP
 server name PSN-VIP
!
aaa server radius dynamic-author
 client 10.10.10.1 server-key 0 presharedkey

...you list the VIP address as a dynamic author client, and CoA should work if you SNAT traffic from PSNs on port 1700.

 

Can you show us your switch config, please, if it is different to the above?

0 Helpful
Customers Also Viewed These Support Documents