I wanted to share a recent experience that I encountered. I had an outage with a primary PSN that clients are setup to use for posture assessment prior to gaining full VPN access to their respective network. The outage consisted of already postured compliant clients with an established and working VPN session immediately dropping off the VPN due to the original PSN going down. Luckily users were able to reconnect via AnyConnect and begin the process over again (CAC auth against ASA, authz via ISE and AD, and of course posture assessment) against a secondary PSN.
ISE cluster version 2.4p9. PSNs are configured in node groups, which per TAC if any of the PSNs in the node group become unreachable, other nodes in the group send a CoA to reset sessions which are already authenticated and in the compliant state via the failed PSN. Hence why clients were dropping after the original PSN failure. Known fixed releases include:
2.7.0.356-Patch2
2.6.0.156-Patch7
2.4.0.357-Patch12
For more detail see: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj47301
HTH anyone with a similar config/setup!