Forum Discussion

Shripaty's avatar
Shripaty
Icon for Cirrus rankCirrus
Oct 06, 2023

Cisco ISE Load Balancing

Hi , I am trying to load balance Auth and Accounting traffic from Cisco ISE. But I have my f5 implemented as f5 VE with a single interface dedicated for traffic and another for Mgmt. The issue is that my f5 Management IP lies in the same segment of Cisco ISE, even if I have declared the cisco ISE as the pool member I am not able to get the return traffic back from ISE , I can see the traffic is leaving f5 on interface 1.1 but I never see a reply from Cisco ISE. To resolve this issue , I tried a 443 vip for the same ISE nodes I was able to see the vip working for https traffic once I added a SNAT.

But after reading so many documents and recommendations I used SNAT for the same radius vip too. Even then also I am awaiting a reply packet from Cisco ISE.

Any help to complete this installation.

Mgmt IP of Box : 10.1.1.100 nd 10.1.1.101

Cisco ISE Nodes : 10.1.1.50 and 10.1.1.51  --. they are using the same vlan

Also the client cisco swithc is lying too in the same vlan of Mgmt.

The mgmt ip of BigIP is 10.1.1.100 and Cisco ISE is 10.1.1.50 and 10.1.1.51 and both are lying in the same segment which has bene tagged to my BigIP VE. I am using a separate segment for VIP which is 192.168.36.0/24 which is routed on a separate vlan and tagged to the same pair of VE. Now I tested this deployment where everything is reachable via ICMP still I am not getting a reply packet from ISE Servers;

 

Case 1 : when snat is enabled  --> HTTPS traffic works  but radius doesn't

Case2 : When SNAT is disabled none of the traffic is even leaving the box.

I have added the Self IP and floating as well as the Mgmt IP as allow device for Cisco ISE to allow the monitoring. So I am good with radius monitors for the same pair.

Its the Client traffic which is entering the LB is not getting a reply.

7 Replies

  • HI, 

    From previous experiance BIG-IP really doesn't like having the MGMT interface and the TMM interfaces on the same subnet. So this may be your first issue.
    It's also worth checking the self-ip protection settings to make sure you are allowing the traffic in to that interface.
    Radius is UDP, so stateful firewalling wont be able to expect the traffic to be coming back in.

    Also check your mgmt routing and the TMM routing.
    The mgmt routing info can be found here: https://my.f5.com/manage/s/article/K15040 https://my.f5.com/manage/s/article/K13284 

    What you may need to do is put a specific route on the Config utility to force the traffic to the ISE interface, this is independant to the management interface routing.
    Can you get comms from the 10. network to the 192. network?

     

    • Shripaty's avatar
      Shripaty
      Icon for Cirrus rankCirrus

      I did added a default route to existing vlan of f5 vip. The monitoring traffic works fine but when the auth traffic is routed via the vip no replies are seen from ISE for that traffic.

      Still trying to experiment the best practice for ISE load balancing traffic. Is there a way we can deploy COA for no Automap , SNAT is the only best practice to be used till date.

    • Shripaty's avatar
      Shripaty
      Icon for Cirrus rankCirrus

      Yes the communication is proper , I created a default route towards the exiting vlan for VIP , the traffic was leaving but what I found since ISE and Switch lies in the same segment , its difficult to implement the configuration , also in case of Radius vip the COA assigned by ISE for authentication needs to be passed to the switch so somehow there should be a direct communication from Source to Pool member. I am just wondering if Auto Last Hop affects the traffic here , since its a VM with single interface enabled , the traffic exiting from f5 towards ISE never makes back to f5.

  • Shripaty ,

    There a very wonderful Cisco ISE loadbalancing step by step guide available on Cisco Site, not sure if you have come across it or not, i would highly recomment you to please go though it if you have not used it before.

    Excellent reference doumnet must be used for CISCO ISE load balancing using F5 ;

    https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

    Although the above ISE is way too old maybe 1.x and you are on 3.x as of now, but its worth checking.

     

    HTH

    🙏🙏

     

    • Shripaty's avatar
      Shripaty
      Icon for Cirrus rankCirrus

      Hi,

       

      Thanks, for the document , I did checked out those doucment but my implementation is a logical inline where f5 wants to act as a full proxy and since  Radius vip should not have any SNAT the traffic moving to ISE from client is not even reaching back to f5 resulting in drop as per the proxy rules

  • Shripaty I believe what is happening is traffic is most likely wanting to leave the F5 management interface because it's in the same directly connected subnet as the Cisco ISE. I'm almost certain that the ISEs will have to exist in a different subnet that is not directly connected to the management interface on the F5s.

    • Shripaty's avatar
      Shripaty
      Icon for Cirrus rankCirrus

      Hi , even I believed the same but what I found was when I add HTTPS vip using the same ISE pool members and adding a SNAT , traffic is working fine without any interruption. But when I add a SNAT in the radius vip I am not even getting a reject traffic back from ISE. So what I feel ISE is not even replying back to f5 as f5 is not the default gateway for ISE.