Solved: F5 LB and MTU - ISE Roadmap

brewagne · ‎02-07-2018

Using F5 load balancers. Running into the issue with fragmented packets. Changing the MTU size to 64.

Adjusting the F5 Min Fragment size to 64 to accommodate the ISE fragmented packets on the F5. That said… Engineering is nervous future software on switches or routers could change the size of fragmenting packets in the future and break this fix.

Are there any plans/roadmap to have ISE use TCP?
Are there any plans/roadmap to have support for switches adjusting their MTU on a VLAN the source of ISE Packets might originate from(not currently supported)
Are there any plans/roadmap to have ISE packets source from a Loopback that you could adjust the MTU on(not currently supported)?
Any other possible solutions for ISE/Switches on a roadmap that would help resolve the issue of double fragmentation with overlay networks.

Any help would be greatly appreciated.

Thanks!

paul · ‎02-08-2018

Craig,

I look at it as an F5 issue because the network is doing normal fragmentation and putting out valid fragments, but the F5 can’t handle the small fragments unless you modify the settings. They are still valid packets on the network.

The reason they network is fragmenting is an overlay. PEAP is no problem but EAP-TLS can cause maximum size packets. When DMVPN headers is added on top of that you exceed maximum packet size and the router fragments the packets into a max size UDP packet and put the remaining data into a small but still legal packet.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

paul · ‎02-07-2018

I have done this fix on probably 3-4 customers and haven't seen any issues. This is a known issue with the F5s. I honestly look at this as an F5 issue. The UDP fragments are legal size packets that the F5 should handle.

Craig Hyps · ‎02-08-2018

I cover LB fragmentation in BRKSEC-3699 posted to CiscoLive.com: On-Demand Library - Cisco Live Global Events

Note that ISE is NOT the reason the packets are getting fragmented to these lower sizes, but some intermediate device in packet path. Address the source of the fragmentation and you can revert the lower fragment size on LB.

No current plans to implement loopback or DSR (Direct Server Return) in ISE.

As Paul noted, this is not an ISE problem, and not really an F5 problem, but an issue with intermediate device that is fragmenting to very low value.

paul · ‎02-08-2018

Craig,

I look at it as an F5 issue because the network is doing normal fragmentation and putting out valid fragments, but the F5 can’t handle the small fragments unless you modify the settings. They are still valid packets on the network.

The reason they network is fragmenting is an overlay. PEAP is no problem but EAP-TLS can cause maximum size packets. When DMVPN headers is added on top of that you exceed maximum packet size and the router fragments the packets into a max size UDP packet and put the remaining data into a small but still legal packet.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Craig Hyps · ‎02-09-2018

To be clear, the end host is responsible for fragmentation reassembly, and in the case of load balancing, the LTM is the end host of the UDP communication from the NADs point of view. Furthermore, F5 MUST reassemble the packets in order to make a load balancing decision based on the complete packet which includes the RADIUS attributes. I show the potential negative result of this in BRKSEC-3699 where only first packet containing RADIUS header is load balanced and remaining use default method which can disperse fragments. Therefore, the LB must not only reassemble packets before sending to ISE PSN, they must also handle min fragment size.

LTM: tm.minipfragsize

Pre-11.6: Default = 576 bytes

11.6.0+: Default = 566 bytes

# tmsh modify sys db tm.minipfragsize value 1