Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
5
Helpful
2
Replies

ISE Load Balancing Cutover Impact to existing RADIUS sessions

Go to solution
Arne Bier
VIP
VIP

‎12-04-2022 10:52 PM

Hello,

I am planning a load balancer migration, and all the existing load balanced sessions will be lost after the cutover. This also means that after the cutover, the load balancing of RADIUS sessions will very likely not hit the same PSN's as before.

Anyone know what happens when a PSN receives RADIUS traffic for an existing session where the session 'owner' is a different PSN?  i.e. Session is owned by PSN1 but now the RADIUS Accounting Interim-Update flows to PSN2.  Will ISE have an issue with this? 

I suspect that CoA will not be affected by this, because the PSN that currently owns an active session will still own that same session after the load balancer cutover - so the CoA will be sourced from the PSN and is not subject to load balancing. 

Finally, switches that perform a session re-auth - could they be impacted after the load balancer failover? If my understanding is correct, the re-auth will hit the load balancer, and since there are no sessions in the LB, it will have a 50 % chance of hitting PSN1 or PSN2. If it hits the PSN that is NOT currently the session owner, will it be a problem?  Or will the new PSN become the new owner?

 

I hope someone has been through this before and can spare me the potential lab re-create

If anyone has other words of wisdom (e.g. regarding IOS/IOS-XE RADIUS deadtimer settings for such cutovers) please let me know

regards

Arne

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-04-2022 11:01 PM

I've never experienced an impact from this, I've just seen a new authentication occur.

I've had a harder time with accounting, it's still unclear to me how ise handles the accounting packets arriving to different nodes.

But I haven't seen an end user impact. 

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-04-2022 11:01 PM

I've never experienced an impact from this, I've just seen a new authentication occur.

I've had a harder time with accounting, it's still unclear to me how ise handles the accounting packets arriving to different nodes.

But I haven't seen an end user impact. 

Go to solution
Arne Bier
VIP
VIP
In response to Damien Miller

‎12-04-2022 11:19 PM

Thanks for the real world experience feedback. I didn’t want to overthink it either, but I have to provide a risk and impact assessment prior to the cutover. 
I would like to also know the exact mechanics how how ISE handles session conflicts. 

0 Helpful
Customers Also Viewed These Support Documents