ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
269
Views
5
Helpful
2
Replies
Highlighted
Beginner

Cisco ISE & F5 load balancing issues

Hi,

We are setting a loadbalanced ISE PSN infrastructure by using F5 LTM. ISE nodes and F5 internal interface are on the same vlan and f5 external interface is on a different vlan which. We have configured the infrastructure as described below link.

 

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

 

Radius packents originating from Firepower goes to F5 and F5 passes the packets to ISE PSNs but ISE nodes dont respond to the requests.
However when we changed the radius ip address as ISE PSN node ip address on firepower, ISE PSN node responds to the requests.

And also after the radius process, posture session needs to start.

Any ideas and up-to-date documents for integrating F5 and ISE PSN nodes.

 

Our topology is same as shown below ;

image.png

 

Thanks,

2 REPLIES 2
Highlighted

Re: Cisco ISE & F5 load balancing issues

Hi @star btsistem ,

 

 please on the link:

 

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

 

 take a look at the LTM Forwarding IP Configuration - InboundLTM Forwarding IP Configuration - Outbound and double check the configuration.

 

Note: on ISE > Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump you can double check if you are receiving/sending any packet from/to F5.

 

Hope this helps,

 Marcelo Morais

Highlighted
Beginner

Re: Cisco ISE & F5 load balancing issues

Hi,

 

We have configured our infra as stated at the link that u sent. Inbound & outbound forwarding definitions are also ok. But i have noticed that when we set F5 VIP as radius, the radius packets are flagged as dont fragment. We will check it with F5 guys.

 

Thanks,

Content for Community-Ad
Additional Cisco Threat Response Resources


August's Community Spotlight Awards
This widget could not be displayed.