Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
5
Replies

Any limitation for ISE nodes to send CoA request other than Gi0 interface ?

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee

‎09-18-2017 12:49 PM

Hi All,

I am working on customer where there is requirement that Management traffic should be segregated from Production traffic(radius traffic)..To accommodate requirement we have configured PSN as below

PSN1- Gi0- A.B.C.D. IP- Management Traffic

PSN1- Gi1- W.X.Y.Z IP- Production Traffic (radius traffic)

Configured Static route to management subnet using IP and default route for all other traffic using W.X.Y.Z IP.

Authc and Authz working as expected. But what we are seeing when PSN send CoA request to switch its send using A.B.C.D. IP.

According to me, it should send using IP W.X.Y.Z IP. Is there any limitation for ISE nodes to send CoA request other than Gi0 interface.

Does anyone knows any setting to send CoA request using Gi1 Interface. We are on 2.2P3

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Parag Mahajan

‎09-19-2017 07:02 AM

CoA should not be hard coded to GE0.  Expectation is that CoA will be sent based on the routing table for the target IP of the NAD.  If there is not a more-specific route to NAD IP, it should rely on global default route based on 'ip default-gateway' setting.  For symmetrical traffic, 'ip route 0.0.0.0 0.0.0.0 gateway <ip>' is used, but global default will decide outbound interface if no specific route.

If the above is not the behavior seen, then suggest open TAC case to reproduce and determine if defect needs to be opened.

Craig

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Craig Hyps
Level 10
Level 10

‎09-18-2017 01:31 PM

You should set the ip default gateway to be GE1, not just a default route (ip route 0 0 ge1_next_hop).

0 Helpful

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-18-2017 01:36 PM

Yes this how we setup as you mentioned. The real question is why PSN is sending CoA with Gi0 IP ? 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Parag Mahajan

‎09-18-2017 02:10 PM

How CoA triggered?

0 Helpful

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee
In response to hslai

‎09-18-2017 02:34 PM

CoA getting triggered by Profiling changes setup as CoA type reauth in profiling

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Parag Mahajan

‎09-19-2017 07:02 AM

CoA should not be hard coded to GE0.  Expectation is that CoA will be sent based on the routing table for the target IP of the NAD.  If there is not a more-specific route to NAD IP, it should rely on global default route based on 'ip default-gateway' setting.  For symmetrical traffic, 'ip route 0.0.0.0 0.0.0.0 gateway <ip>' is used, but global default will decide outbound interface if no specific route.

If the above is not the behavior seen, then suggest open TAC case to reproduce and determine if defect needs to be opened.

Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents