Forum Discussion
CirrusCisco ISE Load Balancing
CumulonimbusHI,
From previous experiance BIG-IP really doesn't like having the MGMT interface and the TMM interfaces on the same subnet. So this may be your first issue.
It's also worth checking the self-ip protection settings to make sure you are allowing the traffic in to that interface.
Radius is UDP, so stateful firewalling wont be able to expect the traffic to be coming back in.
Also check your mgmt routing and the TMM routing.
The mgmt routing info can be found here: https://my.f5.com/manage/s/article/K15040 https://my.f5.com/manage/s/article/K13284
What you may need to do is put a specific route on the Config utility to force the traffic to the ISE interface, this is independant to the management interface routing.
Can you get comms from the 10. network to the 192. network?
ShripatyYes the communication is proper , I created a default route towards the exiting vlan for VIP , the traffic was leaving but what I found since ISE and Switch lies in the same segment , its difficult to implement the configuration , also in case of Radius vip the COA assigned by ISE for authentication needs to be passed to the switch so somehow there should be a direct communication from Source to Pool member. I am just wondering if Auto Last Hop affects the traffic here , since its a VM with single interface enabled , the traffic exiting from f5 towards ISE never makes back to f5.
- Shripaty
I did added a default route to existing vlan of f5 vip. The monitoring traffic works fine but when the auth traffic is routed via the vip no replies are seen from ISE for that traffic.
Still trying to experiment the best practice for ISE load balancing traffic. Is there a way we can deploy COA for no Automap , SNAT is the only best practice to be used till date.
