cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
1
Helpful
2
Replies

PSNs Not registering

david.e.jarvis
Level 1
Level 1

In a distributed deployment, my PSNs are behind a pair of F5 LTMs configured in active/passive mode. The PSNs can

ping their gateway, the F5LTM VIP ip address and they can ping the DNS servers. However, they are not able to execute a successful nslookup either of the PAN or any other device in DNS and because of this registration to the PAN fails. The non-loadbalacing virtual servers on the F5 LTM show it passing traffic inbound and outbound without drops. Tcpdumps on the internal and external interfaces of the F5 LTM shows traffic indeed passes through. The DNS server is properly configured for forward and rever e lookups, We are running ISE 2.3 and v13.0 on the F5 LTM. What is preventing the PSNs from presenting a dns query to a dns server to which they have IP connectivity?

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

For starters, be sure to review the guides posted here on how to config F5 LTMs with ISE:

ISE Load Balancing

The likely scenario is that you have not created an IP forwarding rule to allow the bidirectional DNS traffic, or tried to allow access via a virtual server connection.  If try to config as a virtual server, then even for UDP the LTM will treat the outbound request as a session and only allow reply from original target on same port/interface.   Often drops are related to asymmetric flows (not taking exact path outbound and inbound through LTM), or more simply did not create a forwarding rule to allow the traffic to pass without inspections.

Note that more specific rules will take precedence.  As you will see in guides, I am very prescriptive in the ports used, VLANs used, and IP addresses used.   Also, if configure an IP forwarding rule after other rules, it is possible that the traffic is being persisted by another policy and will not take the desired path/connection until you clear persistence cache or restart LB.

/Craig

View solution in original post

2 Replies 2

Craig Hyps
Level 10
Level 10

For starters, be sure to review the guides posted here on how to config F5 LTMs with ISE:

ISE Load Balancing

The likely scenario is that you have not created an IP forwarding rule to allow the bidirectional DNS traffic, or tried to allow access via a virtual server connection.  If try to config as a virtual server, then even for UDP the LTM will treat the outbound request as a session and only allow reply from original target on same port/interface.   Often drops are related to asymmetric flows (not taking exact path outbound and inbound through LTM), or more simply did not create a forwarding rule to allow the traffic to pass without inspections.

Note that more specific rules will take precedence.  As you will see in guides, I am very prescriptive in the ports used, VLANs used, and IP addresses used.   Also, if configure an IP forwarding rule after other rules, it is possible that the traffic is being persisted by another policy and will not take the desired path/connection until you clear persistence cache or restart LB.

/Craig

Hi

I have exactly this problem and have followed the guide >> https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

 

Did you ever fix the problem and how?

I am not 100% on what I am missing