11-12-2019 07:54 AM
Hi
I'm looking to deploy TrustSec to a number of 3650 stacks running 16.6.6
The production ISE psns are behind a Netscaler MPX. I tested my config with a dev ISE box that wasn't loadbalanced and all looked to be ok.
When I treed to provision cts pac with the loadbalanced ISE, I was getting the following errors in the ISE logs.
11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Some threads on the forum suggested this could be a loadbalancer persistence issue - I changed a switch to use a psn IP address rather the loadbalnced VIP and sure enough cts provisioning worked and the switch could download the cts environment data.
The loadbalanced production ISE VIP has the following rule for persistence with no backup method specified:
CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(8)
What backup persistence method should be used to facilitate cts pac provisioning through the loadbalancer?
Thanks
Andy
Solved! Go to Solution.
11-12-2019 08:06 AM
11-12-2019 08:06 AM
11-12-2019 08:16 AM
Thanks a lot Damien - sometimes I'm too quick to post on the forum rather than search it!
I had changed the backup persistence to source IP and pac provisioning worked ok through the loadbalncer. I'll look at implementing your single rule for this.
Thanks again
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide