Jump to content
Welcome to our new Citrix community!

ADC 12.1: Losing persistence settings for Radius - unexpected.

Henrik Frisk

Recommended Posts

Hi Citrix.
I have upgraded a VPX HA-setup to version 12.1 Build 60.19 for a customer. Afterwards, we are experiencing a problem with losing persistence settings.
The two VPX's load-balance Radius-traffic to Cisco ISE.


I'm not sure what exactly triggers the fault but what I experience is that my config regarding persistence should look like this:

bind lb group pg_ISE-eap-sticky ISE-LB-auth
bind lb group pg_ISE-eap-sticky ISE-LB-acct
set lb group pg_ISE-eap-sticky -persistenceType RULE -timeout 120 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)"


But something triggers to config to end up like this:
bind lb group pg_ISE-eap-sticky ISE-LB-auth
bind lb group pg_ISE-eap-sticky ISE-LB-acct
set lb group pg_ISE-eap-sticky


So the rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)" disappears at some point.


The customer has been through an upgrade of their VMware environment, So my first thought was that it happened when rebooting the secondary instance, and maybe the conf was somehow validated. But it has also lost the persistence without being rebooted. 


Is it because the persistence is configured as a kind of legacy method? (We upgrade from 11.0 Build 70.12 via a 12.0 version).


Someone who has experience with this?




Link to comment
Share on other sites

So you're saying when you apply the config it seems to ignore the persistence settings and they are just missing from the config? 


I just created a dummy group with the same settings. If I go back in via the GUI the settings are there. I can also see it in the ns.conf file.




That NS is running 13.0 76.26.


Link to comment
Share on other sites

Thanks for your answer. :-)

When I config the persistence there's no problem. It works and it appears both in CLI and the GUI. (And I of course save the config). 


In this scenario the customer has been upgrading their VMware-environment so we have moved primary/ secondary back and forth a few times. Rebooted secondary VPX and done failovers. 
But at some point, the persistence is gone and the users get auth. failures since the persistence are gone to the ISE-servers.


In the config this line:
add lb group pg_ISE-eap-sticky -persistenceType RULE -timeout 120 -rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)"


... turns into this instead:
add lb group pg_ISE-eap-sticky


So I insert the persistence setting again - save the config. But something can trigger it to lose it again.

It has now happened several times on 12.1 Build 60.19.

Link to comment
Share on other sites

I have seen an example where a policy expression is used:


add policy expression FramedIP_CallingStationID "CLIENT.UDP.RADIUS.ATTR_TYPE(8)+CLIENT.UDP.RADIUS.ATTR_TYPE(31)"


add lb vserver isepsn_radius-acct RADIUS 1813 -rule FramedIP_CallingStationID -cltTimeout 120
add lb vserver isepsn_radius-auth RADIUS 1812 -rule FramedIP_CallingStationID -cltTimeout 120

set lb group isepsn-pg -persistenceType RULE -rule FramedIP_CallingStationID


Could it be a better way to basically do the same? Perhaps more compatible with version 12.1 ?

Link to comment
Share on other sites

A couple of the early 12.1 builds had multiple gui bugs; don't know if this one is affected or not (wasn't noted in release notes that I saw).

If you set it through the CLI it should be retained, but if it is a GUI bug, then editing in the GUI may overwrite the setting and cause the issue to recur.  In that case, support would be needed.


Also can you get to the same attribute using the Radius.<expr> instead of Client.udp.radius as the radius object is newer and if its just a legacy vs. new syntax, the new *might* be preserved.





Link to comment
Share on other sites

  • 10 months later...

This is definitely an issue. I  also lost this persistence rule for a group at some point during an upgrade.  I have confirmed the latest 12.1 code i no longer have the persistence rule in the group,   I looked at some old saved config files and it's there.  Some upgrade between and the latest 12.1 has removed the rule.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...