https://community.cisco.com/t5/network-access-control/psns-not-registering/m-p/4012763#M521445 <P>Hi</P><P>I have exactly this problem and have followed the guide &gt;&gt; <A href="https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159" target="_blank">https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159</A></P><P>&nbsp;</P><P>Did you ever fix the problem and how?</P><P>I am not 100% on what I am missing</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 16 Jan 2020 15:30:49 GMT Cobhamuser1 2020-01-16T15:30:49Z https://community.cisco.com/t5/network-access-control/psns-not-registering/m-p/3497512#M521443 <HTML><HEAD></HEAD><BODY><P>In a distributed deployment, my PSNs are behind a pair of F5 LTMs configured in active/passive mode. The PSNs can </P><P>ping their gateway, the F5LTM VIP ip address and they can ping the DNS servers. However, they are not able to execute a successful nslookup either of the PAN or any other device in DNS and because of this registration to the PAN fails. The non-loadbalacing virtual servers on the F5 LTM show it passing traffic inbound and outbound without drops. Tcpdumps on the internal and external interfaces of the F5 LTM shows traffic indeed passes through. The DNS server is properly configured for forward and rever e lookups, We are running ISE 2.3 and v13.0 on the F5 LTM. What is preventing the PSNs from presenting a dns query to a dns server to which they have IP connectivity?</P></BODY></HTML> Wed, 20 Sep 2017 00:07:52 GMT https://community.cisco.com/t5/network-access-control/psns-not-registering/m-p/3497512#M521443 david.e.jarvis 2017-09-20T00:07:52Z https://community.cisco.com/t5/network-access-control/psns-not-registering/m-p/3497513#M521444 <HTML><HEAD></HEAD><BODY><P>For starters, be sure to review the guides posted here on how to config F5 LTMs with ISE:</P><P><A href="https://community.cisco.com/docs/DOC-64434">ISE Load Balancing</A></P><P></P><P>The likely scenario is that you have not created an IP forwarding rule to allow the bidirectional DNS traffic, or tried to allow access via a virtual server connection.&nbsp; If try to config as a virtual server, then even for UDP the LTM will treat the outbound request as a session and only allow reply from original target on same port/interface.&nbsp;&nbsp; Often drops are related to asymmetric flows (not taking exact path outbound and inbound through LTM), or more simply did not create a forwarding rule to allow the traffic to pass without inspections.</P><P></P><P>Note that more specific rules will take precedence.&nbsp; As you will see in guides, I am very prescriptive in the ports used, VLANs used, and IP addresses used.&nbsp;&nbsp; Also, if configure an IP forwarding rule <EM>after</EM> other rules, it is possible that the traffic is being persisted by another policy and will not take the desired path/connection until you clear persistence cache or restart LB.</P><P></P><P>/Craig</P></BODY></HTML> Wed, 20 Sep 2017 12:31:39 GMT https://community.cisco.com/t5/network-access-control/psns-not-registering/m-p/3497513#M521444 Craig Hyps 2017-09-20T12:31:39Z https://community.cisco.com/t5/network-access-control/psns-not-registering/m-p/4012763#M521445 <P>Hi</P><P>I have exactly this problem and have followed the guide &gt;&gt; <A href="https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159" target="_blank">https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159</A></P><P>&nbsp;</P><P>Did you ever fix the problem and how?</P><P>I am not 100% on what I am missing</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 16 Jan 2020 15:30:49 GMT https://community.cisco.com/t5/network-access-control/psns-not-registering/m-p/4012763#M521445 Cobhamuser1 2020-01-16T15:30:49Z