07-30-2018 12:42 AM
My customer is having problem to configure CoA SNAT when deploying F5 for load balancing. Without CoA SNAT option it can work fine, before they were using ISE for very long time without F5, now they are trying to reconfigure their solution. They tried to use deployment guide in attachment from 2014 but seems that part of configuration needed o F5 is not complete (at least according to F5 support). Can you advise where I can find configuration guide which can help my customer to deploy ISE with F5 CoA SNAT?
Solved! Go to Solution.
08-02-2018 03:54 AM - edited 08-02-2018 03:57 AM
It looks like it works correctly when adding iRule to CoA SNAT Virtual server....
ltm rule CoA-SNAT-iRule {
when CLIENT_DATA {
log local0. "Sending CoA to [RADIUS::avp 4 ip4] "
node [RADIUS::avp 4 ip4] 1700
ltm virtual ISE-RADIUS-COA-SNAT {
address-status no
destination 10.31.0.0:mps-raft
ip-protocol udp
mask 255.255.0.0
profiles {
ise_radius_udp { }
}
rules {
CoA-SNAT-iRule
}
source 10.16.36.0/24
source-address-translation {
pool Radius_COA_SnatPool
type snat
}
translate-address disabled
translate-port disabled
vlans {
ISE_INTERNAL
}
vlans-enabled
vs-index 17
08-02-2018 05:06 AM
I am glad it is working for you but still not clear yet why it is not working without using a simpler config to simply translate source IP for packets sent to udp/1700. In addition to the translation statement, I also noticed that in your original config that VS type was not set to ip-forward which is the primary change from original guide which made all the difference for other customers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: