06-14-2020 07:36 PM
Has anyone figured out a way to load balance PSNs behind a F5 load balancer? I looked at some configuration guides and they are all for F5 11.4. I'm using version 13.0 so the direction a not valid from my situation. The main issue I am having is posturing and COA from the PSNs behind the F5. My switch is not getting the COA request from the PSNs even though I have the "correct" SNAT on the F5 so my NADs should be getting COA from the VIP on the F5. Unfortunately that is not happening so after my posture scan completes and the supplicant is compliant the NAD doesn't receive the COA so no re-authentication happens on the port and the device is stuck in my remediation vlan until I force a new scan via anyconnect.
Luckily this is a POC so it not effecting live production. Any help would be greatly appreciated.
06-14-2020 09:10 PM
06-15-2020 05:05 AM - edited 06-15-2020 07:25 AM
Damien,
I create a SNAT rule on the F5 (per documentation) so that the PSNs will be translated to the VIP. Are you doing posturing as well at your customers or just authentication?
06-15-2020 08:19 AM
06-15-2020 04:48 AM
Hi @donald.heslop1 ,
I would urge you to take a look at the following posts:
Furthermore, for your problem, try to take capture at every point (ISE, F5, switch) to determine what's happening with the CoA.
06-15-2020 05:03 AM
06-15-2020 05:09 AM
For the "flapping" issue, please enable the following debug and check the logs where it complains about the 'Timed-Out':
debug radius
term mon
Ideally, you should take packet captures too to identify who's not responding (or responding incorrectly).
06-15-2020 06:00 AM
06-15-2020 08:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide