Forum Discussion

Shripaty's avatar
Shripaty
Icon for Cirrus rankCirrus
Oct 06, 2023

Cisco ISE Load Balancing

Hi , I am trying to load balance Auth and Accounting traffic from Cisco ISE. But I have my f5 implemented as f5 VE with a single interface dedicated for traffic and another for Mgmt. The issue is tha...
application delivery
cisco ise
security
PSFletchTheTek's avatar
PSFletchTheTek
Icon for MVP rankMVP

HI, 

From previous experiance BIG-IP really doesn't like having the MGMT interface and the TMM interfaces on the same subnet. So this may be your first issue.
It's also worth checking the self-ip protection settings to make sure you are allowing the traffic in to that interface.
Radius is UDP, so stateful firewalling wont be able to expect the traffic to be coming back in.

Also check your mgmt routing and the TMM routing.
The mgmt routing info can be found here: https://my.f5.com/manage/s/article/K15040 https://my.f5.com/manage/s/article/K13284 

What you may need to do is put a specific route on the Config utility to force the traffic to the ISE interface, this is independant to the management interface routing.
Can you get comms from the 10. network to the 192. network?

 

Shripaty's avatar
Shripaty
Icon for Cirrus rankCirrus
Feb 13, 2024

I did added a default route to existing vlan of f5 vip. The monitoring traffic works fine but when the auth traffic is routed via the vip no replies are seen from ISE for that traffic.

Still trying to experiment the best practice for ISE load balancing traffic. Is there a way we can deploy COA for no Automap , SNAT is the only best practice to be used till date.