I am planning a load balancer migration, and all the existing load balanced sessions will be lost after the cutover. This also means that after the cutover, the load balancing of RADIUS sessions will very likely not hit the same PSN's as before.
Anyone know what happens when a PSN receives RADIUS traffic for an existing session where the session 'owner' is a different PSN? i.e. Session is owned by PSN1 but now the RADIUS Accounting Interim-Update flows to PSN2. Will ISE have an issue with this?
I suspect that CoA will not be affected by this, because the PSN that currently owns an active session will still own that same session after the load balancer cutover - so the CoA will be sourced from the PSN and is not subject to load balancing.
Finally, switches that perform a session re-auth - could they be impacted after the load balancer failover? If my understanding is correct, the re-auth will hit the load balancer, and since there are no sessions in the LB, it will have a 50 % chance of hitting PSN1 or PSN2. If it hits the PSN that is NOT currently the session owner, will it be a problem? Or will the new PSN become the new owner?
I hope someone has been through this before and can spare me the potential lab re-create
If anyone has other words of wisdom (e.g. regarding IOS/IOS-XE RADIUS deadtimer settings for such cutovers) please let me know
Thanks for the real world experience feedback. I didn’t want to overthink it either, but I have to provide a risk and impact assessment prior to the cutover. I would like to also know the exact mechanics how how ISE handles session conflicts.