cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2268
Views
0
Helpful
8
Replies

ISE PSN load balancing

donald.heslop1
Level 1
Level 1

Has anyone figured out a way to load balance PSNs behind a F5 load balancer? I looked at some configuration guides and they are all for F5 11.4. I'm using version 13.0 so the direction a not valid from my situation. The main issue I am having is posturing and COA from the PSNs behind the F5. My switch is not getting the COA request from the PSNs even though I have the "correct" SNAT on the F5 so my NADs should be getting COA from the VIP on the F5. Unfortunately that is not happening so after my posture scan completes and the supplicant is compliant the NAD doesn't receive the COA so no re-authentication happens on the port and the device is stuck in my remediation vlan until I force a new scan via anyconnect.

 

Luckily this is a POC so it not effecting live production. Any help would be greatly appreciated.

8 Replies 8

Damien Miller
VIP Alumni
VIP Alumni
I've had customers run ISE behind a range of F5's versions, up to 14.1, with no issues.

Are you not seeing the COA at the NAD at all, or just coming direct from the node and not masked from the VIP IP? Need to determine if it's a F5 issue or if ISE is not sending the COA in the first place.

Damien,

 

I create a SNAT rule on the F5 (per documentation) so that the PSNs will be translated to the VIP. Are you doing posturing as well at your customers or just authentication?

Yes, I've seen all services be used with F5's including posture.

What has worked well for me is creating a snat pool list with the F5 VIP as the only IP. Then a separate forwarding ip virtual server for each psn referencing the source address of the PSN, and server port 1700. In this you also reference the snat pool list. It correctly masks coa's from the VIP.

Anurag Sharma
Cisco Employee
Cisco Employee

Hi @donald.heslop1 ,

I would urge you to take a look at the following posts:

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

https://community.cisco.com/t5/security-documents/configuring-f5-ltm-for-cisco-ise-load-balancing/ta-p/3642134

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200317-F5-LTM-loadbalancing-Radius-and-HTTP-tra.html

Furthermore, for your problem, try to take capture at every point (ISE, F5, switch) to determine what's happening with the CoA.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Anurag,

I used those guides to setup the F5 and that's when I ran into the problem. Right now the NAD keeps flapping between radius server dead and radius server alive

@donald.heslop1 ,

For the "flapping" issue, please enable the following debug and check the logs where it complains about the 'Timed-Out':

debug radius

term mon

Ideally, you should take packet captures too to identify who's not responding (or responding incorrectly).

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Anurag,

 

Here is a packtet capture from my POC from the PSN to the NAD. I see the source port (coming from the PSN behind the F5) is 30026. Shouldn't that be udp 1700?

 

 

Source port will be randomly selected, only the destination port will be 1700, so that is correct minus no SNAT.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: