Hi Tim,

   I looked at the documents already and did not find it ( or did I overlooked it ) . i.e.  I saw the F5 SNAT option for communication from the PSNs back to the switch. But I am interested in the other way round from the switch to the PSN.

Thank you

Markus

Not supported today IF you need functions like CoA to work.  The reasons are discussed in the guide as well as reference version of BRKSEC-3699 posted to CiscoLive.com.  The short reason is that CoA is returned to the NAD IP which ISE believes to be LB in the SNAT case.  LB drops it as there is no other destination in packet header.  Please reach out to your Cisco sales team and ask them to add your company's name to the following enhancement.

User Story 8601 : CoA support for NAT'ed load balanced environments

Regards,
Craig

Hi Craig,

  Thank  you for the information.  I'll check the COA case which I am also  interested in .

  But COA is from the PSN to the switch.  I am looking for the other direction i.e. when the switch send the Radius request to the LB and the LB to a PSN.

Markus

Yes. I am referring to same use case.  Forget about the SNAT for CoA for the moment.  The issue is SNAT for NAD will cause all CoA to fail--regardless of whether you choose to SNAT CoA or not.  Be sure to review BRKSEC-3699 (reference version).  My summation statement is...

SNAT for NAD is BAD

SNAT for CoA is OK.

Hi Chyps,

  Apologies I looked at the wrong pages,   I see now on page 279 the comment

NAS IP Address is correct, but not currently used for CoA

  So what do I have to do to support an enhancement request to use the NAS-IP. Where do I find details about

User Story 8601 : CoA support for NAT'edload balanced environments

Thank you

Markus

Will do

Thank you

Markus