Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
2
Replies

ISE LoadBalancer Failover and the loss of persistence sessions

andrewswanson
Level 7
Level 7

‎10-20-2016 03:44 AM - edited ‎03-11-2019 12:10 AM

Hello

I'm working on a Netscaler and ISE deployment. Netscalers are pair of MPX 8200s running NS10.5: Build 61.11.nc. Netscalers are in HA mode (one is active and the other is standby)

The RADIUS authentication/accounting VIPs (protocol type RADIUS) use a rule for persistence (based on Calling-Station-Id and Framed-IP-Address):

"CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(8)"

With the possibility of a Netscaler failover event I was looking to make this stateful for the RADIUS VIPs (persistence session synced between the HA pair).

According to Netscaler documentation below this isn't possible when using protocol type RADIUS

https://docs.citrix.com/en-us/netscaler/11/traffic-management/load-balancing/load-balancing-protect-configuration/connection-failover.html

In the event of a Netscaler failover event it looks like persistence sessions will be lost for the RADIUS VIPs. What will be the impact be on clients and ISE in this scenario?

Thanks
Andy

Labels:
0 Helpful
2 Replies 2

andrewswanson
Level 7
Level 7

‎10-20-2016 06:29 AM

I've checked on the Citrix forums for options loadbalancing RADIUS in an HA environment with stateful connection failover:


Option 1 - Use VIP with protocol type RADIUS

  • peristence based on calling-station-id and framed-ip-address
  • traffic to PSNs loadbalanced based on individual client mac address and IP Address
  • persistence is not stateful during connection failover

Option 2 - Use VIP with protocol type UDP

  • peristence based on Source IP Address
  • traffic to PSNs loadbalanced based on NAD IP Address
  • persistence is stateful during connection failover


The ISE deployment will be for wired in the first instance (wireless added later). The NADs vary from a single 48 port switch (with few clients) to stacked 8x 48 port switch (with 100s of clients) so option 1 sounds better for evenly distributing RADIUS requests between the PSNs.

The only issue with option 1 is the loss of persistence sessions in the event of a failover.

Any advice/insight welcome.

Thanks
Andy

0 Helpful

andrewswanson
Level 7
Level 7
In response to andrewswanson

‎10-20-2016 01:00 PM

Got answer for this on Citrix forum - I was confusing persistence with stateful connection failover. Persistence sessions are maintained in a HA Netscaler setup.

Cheers

Andy

https://discussions.citrix.com/topic/382031-stateful-connection-failover-for-radius-protocol-vips/

0 Helpful
Customers Also Viewed These Support Documents