Forum Discussion

Shripaty's avatar
Shripaty
Icon for Cirrus rankCirrus
Oct 06, 2023

Cisco ISE Load Balancing

Hi , I am trying to load balance Auth and Accounting traffic from Cisco ISE. But I have my f5 implemented as f5 VE with a single interface dedicated for traffic and another for Mgmt. The issue is tha...
application delivery
cisco ise
security
PSFletchTheTek's avatar
PSFletchTheTek
Icon for MVP rankMVP

HI, 

From previous experiance BIG-IP really doesn't like having the MGMT interface and the TMM interfaces on the same subnet. So this may be your first issue.
It's also worth checking the self-ip protection settings to make sure you are allowing the traffic in to that interface.
Radius is UDP, so stateful firewalling wont be able to expect the traffic to be coming back in.

Also check your mgmt routing and the TMM routing.
The mgmt routing info can be found here: https://my.f5.com/manage/s/article/K15040 https://my.f5.com/manage/s/article/K13284 

What you may need to do is put a specific route on the Config utility to force the traffic to the ISE interface, this is independant to the management interface routing.
Can you get comms from the 10. network to the 192. network?

 

Shripaty's avatar
Shripaty
Icon for Cirrus rankCirrus
Feb 13, 2024

Yes the communication is proper , I created a default route towards the exiting vlan for VIP , the traffic was leaving but what I found since ISE and Switch lies in the same segment , its difficult to implement the configuration , also in case of Radius vip the COA assigned by ISE for authentication needs to be passed to the switch so somehow there should be a direct communication from Source to Pool member. I am just wondering if Auto Last Hop affects the traffic here , since its a VM with single interface enabled , the traffic exiting from f5 towards ISE never makes back to f5.