Forum Discussion
NimbostratusLoad Balance Cisco ISE servers
Trying to load Balance several Cisco ISE servers. For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it. I have documentation for the Cisco ACE, but using F5 LTM's. Assuming this has to be done with an I-Rule as none of these are available as a default. Not sue where to begin. I tried attaching the Cisco PDF, but not able for whatever reason. If anyone has any examples of knowledge of how to do this, would be appreciated. I can send the Cisco document via e-mail if that helps. I just am not able to attach it to this forum???
57 Replies
_pre_Few things we learn with our ISE installation :
-
Disable datagram LB : see : http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3605.html
-
Use one single VS listening on all ports. Having 2 separate VS with UIE persist across services/vs/pool does not persist 100% of the time.
- F5 drop UDP packets. If you see failure code "12953 - Received EAP packet from the middle of conversation ..." most likely this is caused by F5 dropping packet. We see this issue happen with 6000+ users. Testing environment with 1000 users does not inherit this issue. 11.5 is the worst offender while 11.3 is somewhat better. We have up to 25% failure rates with 11.5 and only 5% with 11.3
-
Daniel_TavernieCirrostratus
- If you must support MSCHAP (challenge-response) authentication things get messy.
- Apparently Datagram LB assumes a single request/response, so additional responses may get dropped or grabbed by a wildcard forwarding virtual server and incorrectly routed (with RADIUS server as source IP).
- If you disable Datagram LB then persistence is based on the UDP "connection" and not each individual RADIUS packet.
-
It appears that you can get around this issue by setting the UDP profile's idle timeout to "Immediate" and then setting up one or more outbound forwarding virtual servers configured to SNAT using the RADIUS virtual server's IP.
-
Does anyone have experience with this?
- JackF
Employee
*** There is now a Deployment Guide available co-authored by Cisco/F5 here -> ***
brad_11480Has anyone (Cisco, F5, user) turned this into an iApp?? Seems there are LOTS of clients of Cisco & F5 who are struggling with this same issue of getting ISE to work correctly behind F5 load balancer.
Anything since this posting on the deployment guide. We have been following this (outdated?) guide to update our ISE services on the F5 but to no success.
It is not persisting sessions correctly for accounting and authentication.
Questions such as the setting for the Datagram LB.. should it be disabled (we think it should).
- *** There is now a Deployment Guide available co-authored by Cisco/F5 here -> ***
- brad_11480
Has anyone (Cisco, F5, user) turned this into an iApp?? Seems there are LOTS of clients of Cisco & F5 who are struggling with this same issue of getting ISE to work correctly behind F5 load balancer.
Anything since this posting on the deployment guide. We have been following this (outdated?) guide to update our ISE services on the F5 but to no success.
It is not persisting sessions correctly for accounting and authentication.
Questions such as the setting for the Datagram LB.. should it be disabled (we think it should).
Wallace1I have the cisco ISE deployment guide and followed it to a tee. But what I am seeing is only half the devices connecting will log the radius AVP 31 which is the calling station ID or MAC address, and this causes the other half to persist with the IP address whish is not working. Anyone ever see this behavior before? I am on 11.5.4
Thanks,
