11-25-2019 04:30 AM
Hi
I have ISE PSNs loadbalanced with a Citrix MPX - there are 2 VIPs (same IP) for RADIUS authentication and accounting. These VIPs have the same peristence rules (calling-id with a backup of nas-ip).
I've noticed the following syslog messages in ISE RADIUS accounting for some clients:
Audit session was not found
Accounting start was received for non-existing session
I thought this may have something to do with some clients authenticating against one psn and the accounting traffic being sent to another. I confirmed this by modifying a NAD switch to use a particular PSN IP rather than the loadbalanced VIP for RADIUS. With this config in place, there were no more syslogs like the ones above.
I'm looking at the netscaler documentation below to share persistent sessions between the 2 RADIUS auth/acct VIPs so that a client's auth/acct traffic always hits the same psn for both services.
Has anyone else come across this issue and, if so, am I on the right track?
Thanks
Andy
11-26-2019 02:20 AM
"Persistency Groups" on the Netscaler look to be the equivalent of F5's "match across services" (used in cisco's ISE and F5 documentation) for persistence sharing between VIPs.
I tested this on the Netscaler by:
This seems to have solved the issue and now RADIUS authentication and accounting traffic are sent to the same psn for a given Calling-Station-Id.
Cheers
Andy
ps to check the persistency group is working as expected on the Netscaler I used the command "show lb persistentSessions <NAME_OF_PERSISTENCY_GROUP>" - this displays the Calling-Station-Ids and the mapped psn used for both RADIUS authentication and accounting
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide