https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3944950#M530032 <P>Thanks&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;. I was discussing this with&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/320219">@Damien Miller</a>&nbsp;just today and his lab setup settings seem to work correctly. I'll try to match what he has and post an update on what I find.&nbsp;</P> Mon, 21 Oct 2019 23:47:44 GMT Rahul Govindan 2019-10-21T23:47:44Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603076#M529994 <HTML><HEAD></HEAD><BODY><P>I am trying to setup a f5 configuration for ise services following the guide : "How To: Cisco &amp; F5 Deployment Guide: ISE Load Balancing Using BIG-IP"</P><P>I am actually facing an issue with Coa. I configured an outbound snat vip on udp port 1700 as suggested in your guide.</P><P>When One of PSN mode sends coa request, this is snatted correctly with vip address from the f5. The wlc, in my case, responds with a coa reply but f5, instead of forwarding the reply to PSN node, sends back and ICMP PORT UNREACHABLE to the wlc. So on ise logs the coa is marked As failed.</P><P>Have you any suggestions about how ti solve the issue?</P><P></P><P>Thank you in Advance for the support.</P><P></P><P>Simone</P></BODY></HTML> Thu, 27 Apr 2017 12:22:51 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603076#M529994 eni-co24192 2017-04-27T12:22:51Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603077#M530005 <HTML><HEAD></HEAD><BODY><P>Can you post a screen shot of your CoA SNAT VIP?</P></BODY></HTML> Thu, 27 Apr 2017 14:12:35 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603077#M530005 paul 2017-04-27T14:12:35Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603078#M530016 <HTML><HEAD></HEAD><BODY><P>Hi Paul,</P><P>here the config :</P><P></P><P>ltm snatpool /Common/ise_radius_coa_wifi_snatpool {</P><P> members {</P><P> /Common/10.103.195.206</P><P> }</P><P>}</P><P></P><P>ltm virtual /Common/ise_radius_coa_wifi {</P><P> destination /Common/0.0.0.0:1700</P><P> ip-protocol udp</P><P> mask any</P><P> profiles {</P><P> /Common/udp { }</P><P> }</P><P> source 10.102.179.248/29</P><P> source-address-translation {</P><P> pool /Common/ise_radius_coa_wifi_snatpool</P><P> type snat</P><P> }</P><P> translate-address disabled</P><P> translate-port enabled</P><P> vlans {</P><P> /Common/Ise_PSN_2653</P><P> }</P><P> vlans-enabled</P><P>}</P></BODY></HTML> Fri, 28 Apr 2017 07:20:28 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603078#M530016 eni-co24192 2017-04-28T07:20:28Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603079#M530019 <HTML><HEAD></HEAD><BODY><P>Check the source IP in the WLC's CoA response.&nbsp; Make sure it is the same as target IP in CoA request coming from PSN.&nbsp; There are settings in WLC to set the RADIUS interface which can override default interfaces--somewhat akin to the source-interface option in wired switches.&nbsp; If the response is not the same as that in target CoA request, then LTM will not see reply as part of existing flow.&nbsp; A similar message will be triggered by WLC when Direct Server Return is attempted on LB whereby the RADIUS reply comes from a different IP (real RADIUS server IP) rather than VIP.</P><P></P><P>/Craig</P></BODY></HTML> Fri, 28 Apr 2017 13:33:09 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603079#M530019 Craig Hyps 2017-04-28T13:33:09Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603080#M530023 <HTML><HEAD></HEAD><BODY><P>Below the dump wlc side :</P><P></P><P>10.103.195.206 VIP F5</P><P>10.129.127.254 WLC</P><P></P><P></P><P></P><P></P><P>Below the ISE SIDE</P><P></P><P></P><P>As you see not default interface overide nor the Direct Server Return occurs.</P></BODY></HTML> Fri, 28 Apr 2017 15:35:29 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603080#M530023 eni-co24192 2017-04-28T15:35:29Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603081#M530027 <HTML><HEAD></HEAD><BODY><P>Hi Simone.&nbsp;&nbsp; Did you resolve this issue?&nbsp; I ran into the same thing today.</P><P>I can see from the F5 tcpdump that the CoA is coming from the WLC IP address (correct), but the F5 just ignores it.&nbsp; It's just the CoA-ACK that doesn't make it back to the PSN.</P><P></P><P>Your previous posting mentions some dump - but I don't see it in your posting.</P></BODY></HTML> Fri, 21 Jul 2017 04:10:36 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603081#M530027 Arne Bier 2017-07-21T04:10:36Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603082#M530029 <HTML><HEAD></HEAD><BODY><P>Verify that the source/dest IP that exists F5 is same as those in return packet (in reverse order, of course).&nbsp; Also verify that the session timer is &gt; 0 and long enough to account for delays in CoA Ack response.&nbsp; Although UDP is not flow-based, the LTM tracks session flows and will drop packet if it does not see the response as part of a valid outbound connection from PSN in time allotted.</P><P></P><P>/Craig</P></BODY></HTML> Mon, 24 Jul 2017 14:24:29 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3603082#M530029 Craig Hyps 2017-07-24T14:24:29Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3944653#M530030 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;Did you ever figure this out? I am running into the same thing in 2019 with all the latest ISE, F5 and WLC versions. Wondering if you ever got an answer to this?&nbsp;</P> Mon, 21 Oct 2019 15:04:40 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3944653#M530030 Rahul Govindan 2019-10-21T15:04:40Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3944935#M530031 <P>Hi Rahul</P> <P>&nbsp;</P> <P>honest answer ... this was a while back and I cannot remember what happened in the end. I have moved off of that project and it was resolved - I just cannot remember what the fix was.</P> <P>Perhaps it was related to an iRule that was not scripted correctly. I think the COA-ACK looked like new traffic to the Virtual Server, and it didn't know what to do with it (the iRule was perhaps not expecting UDP/1700 ). It was beyond my understanding of the F5.&nbsp;</P> <P>Sorry <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> Mon, 21 Oct 2019 22:43:14 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3944935#M530031 Arne Bier 2019-10-21T22:43:14Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3944950#M530032 <P>Thanks&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;. I was discussing this with&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/320219">@Damien Miller</a>&nbsp;just today and his lab setup settings seem to work correctly. I'll try to match what he has and post an update on what I find.&nbsp;</P> Mon, 21 Oct 2019 23:47:44 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/3944950#M530032 Rahul Govindan 2019-10-21T23:47:44Z https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/5167277#M591498 <P>Anyone able to resolve this ? Having same issue in 2024 <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 28 Aug 2024 18:25:56 GMT https://community.cisco.com/t5/network-access-control/f5-ise-coa-issue/m-p/5167277#M591498 vishnu varthan 2024-08-28T18:25:56Z