https://community.cisco.com/t5/network-access-control/f5-breaking-eap-tls-fragmentation-reassembly-issue/m-p/3481584#M535999 <HTML><HEAD></HEAD><BODY><P>Please see following link:</P><P><A href="https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer" title="https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer">https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer</A></P><P></P><P>"<SPAN style="color: #333333; font-family: Arial, sans-serif; font-size: 14.399999618530273px;">It is not uncommon to see RADIUS load balancing issues with EAP-TLS related to fragmentation.&nbsp; The typical cases are either 1) failure of load balancer to reassemble large RADIUS packets, for example, TLS with larger key sizes, or 2) dropping of fragments by load balancer that are deemed too small.&nbsp; For first case, both Cisco ACE and F5 LTM should accommodate automatic reassembly if using the standard LB mechanism for RADIUS.&nbsp; LTM does not reassemble FastL4 by default, but that protocol is normally not used and guide does not use that profile for RADIUS. If fragments too small, for both ACE and LTM you would need to change the default minimum fragment size to accept the exceptionally small fragment for reassembly.&nbsp; This can serve as a workaround, but recommend find and eliminate the device causing RADIUS packets to be fragmented below reasonable size.</SPAN></P><P style="margin-bottom: 1.4em; color: #333333; font-family: Arial, sans-serif; font-size: 14.399999618530273px;">Another common issue in load balancing is failure to understand exact path taken for the entire flow to/from real servers. Often there is a case where ingress packets take one path but responses take another path.&nbsp; This asymmetry often results in packet drops by load balancer or other device in the path."</P></BODY></HTML> Fri, 24 Feb 2017 19:03:55 GMT howon 2017-02-24T19:03:55Z https://community.cisco.com/t5/network-access-control/f5-breaking-eap-tls-fragmentation-reassembly-issue/m-p/3481583#M535998 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We have an issue where F5 is breaking EAP-TLS and ISE throwing an error "Endpoint Abandoned EAP session"</P><P>From the packet capture and troubleshooting we found that packets with a higher payload containing contents of the actual certificate is being fragmented and it seems this fragmented packet is hitting the iRule before being reassembled.</P><P>There is a lot of reference made in the past to account for this reassembly but we still cannot find a way around this in F5 running a newer code of 12.1</P><P></P><P>Has anybody encountered this issue recently and found a way to resolve it ?</P></BODY></HTML> Fri, 24 Feb 2017 17:13:26 GMT https://community.cisco.com/t5/network-access-control/f5-breaking-eap-tls-fragmentation-reassembly-issue/m-p/3481583#M535998 umahar 2017-02-24T17:13:26Z https://community.cisco.com/t5/network-access-control/f5-breaking-eap-tls-fragmentation-reassembly-issue/m-p/3481584#M535999 <HTML><HEAD></HEAD><BODY><P>Please see following link:</P><P><A href="https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer" title="https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer">https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer</A></P><P></P><P>"<SPAN style="color: #333333; font-family: Arial, sans-serif; font-size: 14.399999618530273px;">It is not uncommon to see RADIUS load balancing issues with EAP-TLS related to fragmentation.&nbsp; The typical cases are either 1) failure of load balancer to reassemble large RADIUS packets, for example, TLS with larger key sizes, or 2) dropping of fragments by load balancer that are deemed too small.&nbsp; For first case, both Cisco ACE and F5 LTM should accommodate automatic reassembly if using the standard LB mechanism for RADIUS.&nbsp; LTM does not reassemble FastL4 by default, but that protocol is normally not used and guide does not use that profile for RADIUS. If fragments too small, for both ACE and LTM you would need to change the default minimum fragment size to accept the exceptionally small fragment for reassembly.&nbsp; This can serve as a workaround, but recommend find and eliminate the device causing RADIUS packets to be fragmented below reasonable size.</SPAN></P><P style="margin-bottom: 1.4em; color: #333333; font-family: Arial, sans-serif; font-size: 14.399999618530273px;">Another common issue in load balancing is failure to understand exact path taken for the entire flow to/from real servers. Often there is a case where ingress packets take one path but responses take another path.&nbsp; This asymmetry often results in packet drops by load balancer or other device in the path."</P></BODY></HTML> Fri, 24 Feb 2017 19:03:55 GMT https://community.cisco.com/t5/network-access-control/f5-breaking-eap-tls-fragmentation-reassembly-issue/m-p/3481584#M535999 howon 2017-02-24T19:03:55Z