KB44507 - Why does Cluster Setup (A/P or A/A) Not Cache Pulse Client Tunnel IP Address for 24 hours?

Why does Cluster Setup (A/P or A/A) Not Cache Pulse Client Tunnel IP Address for 24 hours?

This article explains why an Active/Active cluster setup does not cache Pulse Client tunnel IP address for 24 hours and how Tunnel IP caching works in a clustering environment.
 

• Pulse Connect Secure (PCS) configured in cluster setup (A/P or A/A)
• DHCP server or manual IP pool

All user session details (i.e., IP address, username, user bookmarks etc.) will be cached on the Pulse Connect Secure (PCS) local node Authentication server. 
To access/view the username cache details, access Authentication > Auth. Server > Select the Auth server > Users.

Users who have logged into PCS cluster setup will be a local user to that node. Through session synchronization settings, user sessions can be be synced from local node to non-local nodes.  
To access/view the session synchronization settings, access System > Clustering > Cluster Properties > Synchronization Settings.

Once the user logs out from an active session, the non-local node will delete the user session after 15 mins (approx). The log entry will be displayed on non-local node as shown below: 
 

User Accounts modified. Removed username xxxx from authentication server.

To access/view the log entry details, access Logs/Monitoring > Admin Access Log

Since the PCS is configured in cluster, the data will be synced between the nodes. The synchronization will cause the user session of the logged out user to be deleted on local node. When a new user logs in, the logged in user will be assigned with the same IP address of the logged out user.This behavior is expected and is working as designed with cluster (A/P or A/A) environment only. For standalone setup, IP is cached for 24 hours.

Example: Consider this scenario where a User1 connects to node1 and disconnects. After 15 minutes, User 2 connects to node 1.

User1 connects to node 1.
User1 will get IP address from the IP pool/DHCP configured.
By default session synchronization is enabled creating cluster, node1 will try to sync the sessions to node2 (i.e., IP address, username etc.)
User1 logged out his/her session.
An internal clean up script clears the non-local users cache on node2 within 15 minutes (approx).
Once the clean up script is executed, the below log entry will appear on the admin access log of node2.
 

"User Accounts modified. Removed username xxxx from authentication server."

​​​​Through cluster data synchronization,  User1 deleted details will be synced to node1.
When new user User2 is logged into node1/node2, user 2 will be assigned with the same IP address (since the cache details were deleted).
 

To workaround this expected cluster behavior, you need to change the cluster type from 'Synchronize user sessions' to 'Configuration-only cluster'. 
 

1. Navigate to System > Clustering > Cluster Properties
2. Enable Configuration-only cluster
3. Assign static IP address by using LDAP attributes , refer KB12536.

 

Note: By changing to configuration only cluster session, the sessions will not be synced. During failover, the user will need to re-authenticate again.

An enhancement request CSC-I-749 has been created- Support tunnel IP caching for cluster setup. This KB will be updated once this feature is implemented in a release.