02-15-2021 01:40 PM - edited 02-15-2021 01:42 PM
Hi everyone,
atm we are migrating our RASVPN-Gateways from our old Cisco ACS to ISE. Within our deployment we have 4 PSN which are behind a F5-LB. I'm aware of the existing guides to setup loadbalance RADIUS, but I noticed that our setup is really unbalanced. Due to the fact that we have (atm) 7 VPN-GWs connecting to the virtual server and that Cisco ASA is using something best described as UDP-Connection. An ASA is opening a connection to the virtual server and as long as there are new vpn sessions to be authenticated it is reusing the same connection (not changing) the sourceport.
The F5 is also seeing this as a connection and sending all requests of one ASA to the same poolmember. So I have 7 GWs and 2 monitoring tools creating radius requests it happens sometimes that one of the 4 PSN is getting 50 to 70% of the load, 2 devices 15-25% and one device almost no authentications over hours.
So the only option I see is to use "UDP Datagram LB" which would be a per Packet Loadbalancing. Which every guide I read about ISE and F5 does not enable. So any recomendations?
One other thing is persistance. I tried to create some stickyness to have auth and accounting data going to the same node, by audit-session-id. I attach the irule i created. Any comments, especially to persistance timeout, since a vpn-session can last one whole day.
Is it neccessary that I sent accounting stop requests to the same PSN?
BR, Jörg Friedrich
02-16-2021 02:14 PM
Hi @jeff16384
please take a look at the following link: ISE Loading Balance
Note: "... perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address ..."
Hope this helps !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide