cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8470
Views
0
Helpful
12
Replies

ISE, F5 and EAP-TLS

laposilaszlo
Level 1
Level 1

Hi,

 

We are in the process of migrating our ISE infrastructure from ACE to F5.

We followed Craig Hyps document for the configuration.

 

All looks ok except EAP-TLS authentication. (PEAP user/computer works fine)

In the document there is nothing special mentioned that needs to be done for TLS.

 

I think it may be related to fragmentation but not sure.

I can also add here that if we point the NAD's to the PSN directly it works.

The problem is only when we use the VIP.

(PEAP work with the VIP also)

 

Has anyone experience with this or managed to make this work.

Any information or hint is appreciated.

 

Let me know if you need additional info about the setup.

 

Thank,

laszlo

 

1 Accepted Solution

Accepted Solutions

In order to solve this issue, here is what you need to do:

1. Login to your F5 LTM

2. Go to Local Traffic

3. Go to Profiles

4. Go to Protocols

5. Click on UDP

6. Click on ise_radius_udp

7. For the "Don't fragment Mode" Click Custom on the right and then choose Disable

 

Hopefully this will help someone if they ever run into this issue.

View solution in original post

12 Replies 12

Gaj Ana
Level 1
Level 1

Hi Laszlo

I also ahve a similar issue. Did you find a solution for this?

Thanks

Gaj

Hi Laszio

Thank you for following up.

We tried this workaround and dosent seems to work, still investigating. Any particular reason in your case fragment size of 24 was choosen? Also we did not reboot the LTM after the change as an F5 SOL (17102) atricale says reboot is not required.

Whats your F5 LTM OS code?  We are running 11.4.1 with HF9

Thanks

Gaj

Gaj,

No specfic reason for 24, from memory the engineer had another customer who choose 24 so we decided to go with that as opposed to 0.  The problem we were seeing before the change showed any wireless client performing EAP-TLS via WLC would not get an IP Address and the logs indicated the F5 was silently dropping the packets.  This got us around that roadblock.  We still havent pointed any traffic to our VIP as we notice tons of drops as soon as we try it.  Im talking 40% retrys and 20-30% dropped.  Its been a real thorn in our side.  We also see "radius-server unavailable" then "radius-server available" constantly throughout our logs.  We have followed Craigs guide to a tee and still no joy.

OS code BIG-IP v11.6.0 (Build 4.0.420)  

Good Luck

-Ryan

Hi Ryan

Sorry for my late feedback. 

Just thought to share with you or might be useful to others having a similar issue.

Adjusting fragment size didn't work in our case for TLS. Following further wire shark debugs we found that F5 was setting the DF bit to 1 after reassembling the packets and the larger ones get dropped before reaching the PSN's thus TLS failing. The work around was to disable an global option in F5 (with 11.4.x code) and worked great after that. If you require further details please let me know.

Cheers

Gaj

Gaj,

Yes I'm very interested in what the fix was, you can email me at Rcoombz@me.com or share the fix on the thread.  We are still having the issue so I'm banking on you.  =)

Running into the same issues.  After changing the minipfragsize to as low as 1 the issues would still occur.  What was the global option you ended up disabling?  Any help appreciated!! This issue is beyond frustrating.  

Hey Ryan,

any fix on this issue?

see "radius-server unavailable" then "radius-server available" constantly throughout our logs

am having the same problem on all my cisco switches

Thx

Ryan Coombs
Level 1
Level 1

Laszio,

This was our fix and after the change I believe it required a reboot as well.  Let me know if this works as we are using EAP-TLS as well but our logs and statistics are still very muddy. 

The datagram packets that were being fragmented were too small and being caught by a DoS protection DB variable and the F5 device was silently dropping these packets.  The fix for this is to lower the threshold for this variable to allow these packets through the device to the server. 

    • Resolution lower the DoS protection variable from default of 556 to 24.

[admin@f5-lb-01:Active:Changes Pending] ~ # tmsh list sys db tm.minipfragsize all-properties

sys db tm.minipfragsize {

    default-value "556"

    scf-config "true"

    value "500"  <-- Changed to 24

   value-range "unsigned integer min:1 max:65515"

#####no change

In order to solve this issue, here is what you need to do:

1. Login to your F5 LTM

2. Go to Local Traffic

3. Go to Profiles

4. Go to Protocols

5. Click on UDP

6. Click on ise_radius_udp

7. For the "Don't fragment Mode" Click Custom on the right and then choose Disable

 

Hopefully this will help someone if they ever run into this issue.

Amir,

 

This resolved my EAP-TLS problem on ISE 2.4, LTM version 13.1. Thank you so much for replying back with this fix!

Hi Guys,

 

I think we are facing the same issue. However, in our case, F5 enabled for the jumbo frame and it is trying to send large frames to ISE. Even we disabled "Don't fragment mode" disable and set min.fragment size did not resolve the issue.

 

Can you confirm what was your F5 configuration with respect to Jumbo frames?

 

Rasika

Hi, we had a similar issue and just resolved it. F5 was configured for Jumbo frame, but ISE by default is not. Also, we had no luck increasing the MTU on ISE 3.2. Maybe its just not working, maybe something else in the network dropped the jumbo frames.

Anyway, we changed the MTU on the F5 to the default of 1500. So, as F5 will always reassamble fragments, if you have issues as described here, ensure all devices in the ISE vlan are using the same MTU, maybe its best to stick with the default of 1500.