Re: Cisco ISE & F5 load balancing issues

star btsistem · ‎07-08-2020

Hi,

We are setting a loadbalanced ISE PSN infrastructure by using F5 LTM. ISE nodes and F5 internal interface are on the same vlan and f5 external interface is on a different vlan which. We have configured the infrastructure as described below link.

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

Radius packents originating from Firepower goes to F5 and F5 passes the packets to ISE PSNs but ISE nodes dont respond to the requests.
However when we changed the radius ip address as ISE PSN node ip address on firepower, ISE PSN node responds to the requests.

And also after the radius process, posture session needs to start.

Any ideas and up-to-date documents for integrating F5 and ISE PSN nodes.

Our topology is same as shown below ;

Thanks,

Marcelo Morais · ‎07-09-2020

Hi @star btsistem ,

please on the link:

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

take a look at the LTM Forwarding IP Configuration - Inbound & LTM Forwarding IP Configuration - Outbound and double check the configuration.

Note: on ISE > Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump you can double check if you are receiving/sending any packet from/to F5.

Hope this helps,

Marcelo Morais

star btsistem · ‎07-09-2020

Hi,

We have configured our infra as stated at the link that u sent. Inbound & outbound forwarding definitions are also ok. But i have noticed that when we set F5 VIP as radius, the radius packets are flagged as dont fragment. We will check it with F5 guys.

Thanks,