topic Re: ISE PSN load balancing in Network Access Control

ISE PSN load balancing

donald.heslop1 — Mon, 15 Jun 2020 02:36:09 GMT

Has anyone figured out a way to load balance PSNs behind a F5 load balancer? I looked at some configuration guides and they are all for F5 11.4. I'm using version 13.0 so the direction a not valid from my situation. The main issue I am having is posturing and COA from the PSNs behind the F5. My switch is not getting the COA request from the PSNs even though I have the "correct" SNAT on the F5 so my NADs should be getting COA from the VIP on the F5. Unfortunately that is not happening so after my posture scan completes and the supplicant is compliant the NAD doesn't receive the COA so no re-authentication happens on the port and the device is stuck in my remediation vlan until I force a new scan via anyconnect.

Luckily this is a POC so it not effecting live production. Any help would be greatly appreciated.

Re: ISE PSN load balancing

Damien Miller — Mon, 15 Jun 2020 04:10:24 GMT

I've had customers run ISE behind a range of F5's versions, up to 14.1, with no issues.

Are you not seeing the COA at the NAD at all, or just coming direct from the node and not masked from the VIP IP? Need to determine if it's a F5 issue or if ISE is not sending the COA in the first place.

Re: ISE PSN load balancing

Anurag Sharma — Mon, 15 Jun 2020 11:48:07 GMT

Hi @donald.heslop1 ,

I would urge you to take a look at the following posts:

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

https://community.cisco.com/t5/security-documents/configuring-f5-ltm-for-cisco-ise-load-balancing/ta-p/3642134

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200317-F5-LTM-loadbalancing-Radius-and-HTTP-tra.html

Furthermore, for your problem, try to take capture at every point (ISE, F5, switch) to determine what's happening with the CoA.

Re: ISE PSN load balancing

donald.heslop1 — Mon, 15 Jun 2020 12:03:36 GMT

Anurag,

I used those guides to setup the F5 and that's when I ran into the problem. Right now the NAD keeps flapping between radius server dead and radius server alive

Re: ISE PSN load balancing

donald.heslop1 — Mon, 15 Jun 2020 14:25:44 GMT

Damien,

I create a SNAT rule on the F5 (per documentation) so that the PSNs will be translated to the VIP. Are you doing posturing as well at your customers or just authentication?

Re: ISE PSN load balancing

Anurag Sharma — Mon, 15 Jun 2020 12:09:12 GMT

@donald.heslop1 ,

For the "flapping" issue, please enable the following debug and check the logs where it complains about the 'Timed-Out':

debug radius

term mon

Ideally, you should take packet captures too to identify who's not responding (or responding incorrectly).

Re: ISE PSN load balancing

donald.heslop1 — Mon, 15 Jun 2020 13:00:27 GMT

Anurag,

Here is a packtet capture from my POC from the PSN to the NAD. I see the source port (coming from the PSN behind the F5) is 30026. Shouldn't that be udp 1700?

Re: ISE PSN load balancing

Damien Miller — Mon, 15 Jun 2020 15:15:05 GMT

Source port will be randomly selected, only the destination port will be 1700, so that is correct minus no SNAT.

Re: ISE PSN load balancing

Damien Miller — Mon, 15 Jun 2020 15:19:53 GMT

Yes, I've seen all services be used with F5's including posture.

What has worked well for me is creating a snat pool list with the F5 VIP as the only IP. Then a separate forwarding ip virtual server for each psn referencing the source address of the PSN, and server port 1700. In this you also reference the snat pool list. It correctly masks coa's from the VIP.