06-24-2015 11:25 AM - edited 03-10-2019 10:51 PM
Hi,
We are in the process of migrating our ISE infrastructure from ACE to F5.
We followed Craig Hyps document for the configuration.
All looks ok except EAP-TLS authentication. (PEAP user/computer works fine)
In the document there is nothing special mentioned that needs to be done for TLS.
I think it may be related to fragmentation but not sure.
I can also add here that if we point the NAD's to the PSN directly it works.
The problem is only when we use the VIP.
(PEAP work with the VIP also)
Has anyone experience with this or managed to make this work.
Any information or hint is appreciated.
Let me know if you need additional info about the setup.
Thank,
laszlo
Solved! Go to Solution.
04-27-2019 06:02 PM
In order to solve this issue, here is what you need to do:
1. Login to your F5 LTM
2. Go to Local Traffic
3. Go to Profiles
4. Go to Protocols
5. Click on UDP
6. Click on ise_radius_udp
7. For the "Don't fragment Mode" Click Custom on the right and then choose Disable
Hopefully this will help someone if they ever run into this issue.
11-24-2015 05:25 AM
Hi Laszlo
I also ahve a similar issue. Did you find a solution for this?
Thanks
Gaj
11-30-2015 03:44 PM
Hi Laszio
Thank you for following up.
We tried this workaround and dosent seems to work, still investigating. Any particular reason in your case fragment size of 24 was choosen? Also we did not reboot the LTM after the change as an F5 SOL (17102) atricale says reboot is not required.
Whats your F5 LTM OS code? We are running 11.4.1 with HF9
Thanks
Gaj
12-02-2015 11:40 AM
Gaj,
No specfic reason for 24, from memory the engineer had another customer who choose 24 so we decided to go with that as opposed to 0. The problem we were seeing before the change showed any wireless client performing EAP-TLS via WLC would not get an IP Address and the logs indicated the F5 was silently dropping the packets. This got us around that roadblock. We still havent pointed any traffic to our VIP as we notice tons of drops as soon as we try it. Im talking 40% retrys and 20-30% dropped. Its been a real thorn in our side. We also see "radius-server unavailable" then "radius-server available" constantly throughout our logs. We have followed Craigs guide to a tee and still no joy.
OS code BIG-IP v11.6.0 (Build 4.0.420)
Good Luck
-Ryan
03-27-2016 06:14 AM
Hi Ryan
Sorry for my late feedback.
Just thought to share with you or might be useful to others having a similar issue.
Adjusting fragment size didn't work in our case for TLS. Following further wire shark debugs we found that F5 was setting the DF bit to 1 after reassembling the packets and the larger ones get dropped before reaching the PSN's thus TLS failing. The work around was to disable an global option in F5 (with 11.4.x code) and worked great after that. If you require further details please let me know.
Cheers
Gaj
03-29-2016 03:29 PM
Gaj,
Yes I'm very interested in what the fix was, you can email me at Rcoombz@me.com or share the fix on the thread. We are still having the issue so I'm banking on you. =)
02-12-2018 12:34 PM
Running into the same issues. After changing the minipfragsize to as low as 1 the issues would still occur. What was the global option you ended up disabling? Any help appreciated!! This issue is beyond frustrating.
04-27-2016 10:18 AM
Hey Ryan,
any fix on this issue?
see "radius-server unavailable" then "radius-server available" constantly throughout our logs
am having the same problem on all my cisco switches
Thx
11-24-2015 10:00 AM
Laszio,
This was our fix and after the change I believe it required a reboot as well. Let me know if this works as we are using EAP-TLS as well but our logs and statistics are still very muddy.
The datagram packets that were being fragmented were too small and being caught by a DoS protection DB variable and the F5 device was silently dropping these packets. The fix for this is to lower the threshold for this variable to allow these packets through the device to the server.
[admin@f5-lb-01:Active:Changes Pending] ~ # tmsh list sys db tm.minipfragsize all-properties
sys db tm.minipfragsize {
default-value "556"
scf-config "true"
value "500" <-- Changed to 24
value-range "unsigned integer min:1 max:65515"
#####no change
04-27-2019 06:02 PM
In order to solve this issue, here is what you need to do:
1. Login to your F5 LTM
2. Go to Local Traffic
3. Go to Profiles
4. Go to Protocols
5. Click on UDP
6. Click on ise_radius_udp
7. For the "Don't fragment Mode" Click Custom on the right and then choose Disable
Hopefully this will help someone if they ever run into this issue.
05-15-2019 08:09 AM
Amir,
This resolved my EAP-TLS problem on ISE 2.4, LTM version 13.1. Thank you so much for replying back with this fix!
07-13-2020 01:03 PM
Hi Guys,
I think we are facing the same issue. However, in our case, F5 enabled for the jumbo frame and it is trying to send large frames to ISE. Even we disabled "Don't fragment mode" disable and set min.fragment size did not resolve the issue.
Can you confirm what was your F5 configuration with respect to Jumbo frames?
Rasika
02-01-2024 04:39 AM
Hi, we had a similar issue and just resolved it. F5 was configured for Jumbo frame, but ISE by default is not. Also, we had no luck increasing the MTU on ISE 3.2. Maybe its just not working, maybe something else in the network dropped the jumbo frames.
Anyway, we changed the MTU on the F5 to the default of 1500. So, as F5 will always reassamble fragments, if you have issues as described here, ensure all devices in the ISE vlan are using the same MTU, maybe its best to stick with the default of 1500.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide