cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
244
Views
5
Helpful
2
Replies

ISE Load Balancing Cutover Impact to existing RADIUS sessions

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Hello,

I am planning a load balancer migration, and all the existing load balanced sessions will be lost after the cutover. This also means that after the cutover, the load balancing of RADIUS sessions will very likely not hit the same PSN's as before.

Anyone know what happens when a PSN receives RADIUS traffic for an existing session where the session 'owner' is a different PSN?  i.e. Session is owned by PSN1 but now the RADIUS Accounting Interim-Update flows to PSN2.  Will ISE have an issue with this? 

I suspect that CoA will not be affected by this, because the PSN that currently owns an active session will still own that same session after the load balancer cutover - so the CoA will be sourced from the PSN and is not subject to load balancing. 

Finally, switches that perform a session re-auth - could they be impacted after the load balancer failover? If my understanding is correct, the re-auth will hit the load balancer, and since there are no sessions in the LB, it will have a 50 % chance of hitting PSN1 or PSN2. If it hits the PSN that is NOT currently the session owner, will it be a problem?  Or will the new PSN become the new owner?

 

I hope someone has been through this before and can spare me the potential lab re-create

If anyone has other words of wisdom (e.g. regarding IOS/IOS-XE RADIUS deadtimer settings for such cutovers) please let me know

regards

Arne

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

I've never experienced an impact from this, I've just seen a new authentication occur.

I've had a harder time with accounting, it's still unclear to me how ise handles the accounting packets arriving to different nodes.

But I haven't seen an end user impact. 

View solution in original post

2 Replies 2

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

I've never experienced an impact from this, I've just seen a new authentication occur.

I've had a harder time with accounting, it's still unclear to me how ise handles the accounting packets arriving to different nodes.

But I haven't seen an end user impact. 

Thanks for the real world experience feedback. I didn’t want to overthink it either, but I have to provide a risk and impact assessment prior to the cutover. 
I would like to also know the exact mechanics how how ISE handles session conflicts. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers