Forum Discussion
NimbostratusRadius configuration
Hi
I need to load balance 5 radius servers through the F5. I setup the VIP but for some reason it's not working. this is my virtual server...
tm virtual vs_cisco_ise {
destination 10.211.184.108:any
ip-protocol udp
mask 255.255.255.255
partition BRC
persist {
Raduis_Persistence {
default yes
}
}
pool pool_cisco_ise
profiles {
/Common/udp { }
}
snat automap
vlans-disabled
}
ltm pool pool_cisco_ise {
members {
10.20.77.149:any {
address 10.20.77.149
session monitor-enabled
state up
}
10.20.77.150:any {
address 10.20.77.150
session user-disabled
ltm persistence hash Raduis_Persistence {
app-service none
defaults-from /Common/hash
hash-algorithm default
hash-buffer-limit 0
hash-end-pattern none
hash-length 0
hash-offset 0
hash-start-pattern none
match-across-pools disabled
match-across-services disabled
match-across-virtuals disabled
mirror disabled
override-connection-limit disabled
rule none
timeout 180
}
state up
}
10.20.77.151:any {
address 10.20.77.151
session user-disabled
state up
}
10.20.77.152:any {
address 10.20.77.152
session user-disabled
state up
}
10.20.77.153:any {
address 10.20.77.153
session user-disabled
state up
}
}
monitor /Common/gateway_icmp
partition BRC
}
8 Replies
What_Lies_Bene1Cirrostratus
Angelo can you be more specific about what doesn't work, what version you're using and any diagnostics and tests you've performed so far please?
AngeloHi
The problem is that i can see the traffic coming into the F5 but i cannot see the traffic coming back to my radius server. not sure if my config is correct..
- What_Lies_Bene1Sorry, did you mean coming back from? Have you done a tcpdump? Is there a route on the RADIUS servers back to the SNAT address?
- Angeloit's traffic back from the F5 to the radius server.. there is also a site running on the server but i can get to the site but the radius side of the config keeps failing...
- What_Lies_Bene1
OK. By site i assume you mean website? That would use a different Virtual Server and perhaps SNAT? Regardless, I assume you are saying that proves the routing to the server from the F5 is good yes?
If so, it's time to do some tcpdumps I'd say. Can you do a tcpdump on the 'external' VLAN that the traffic enters the device through and then another on the 'internal' VLAN that the traffic should leave the device through. Actually, do it on both like so: tcpdump –i all –nn –v –X –s0 port 1812 and see what's what. If you'd rather save it to a file and use Wireshark for analysis, use this to create a file you can pull off the device: tcpdump –i all -nn –w /tmp/radiuscapture –v –s0 port 1812. - Angelothis is what i'm getting from the TCPdump and my VIP is 10.211.184.108
13:54:58.695792 IP (tos 0x0, ttl 64, id 6851, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.35435 > 10.20.77.152.1812: [|radius] out slot1/tmm0 lis=
0x0000: 00b8 0800 4500 002f 1ac3 4000 4011 057a ....E../..@.@..z
0x0010: 0ad3 b802 0a14 4d98 8a6b 0714 001b 5845 ......M..k....XE
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0000 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:54:59.600202 IP (tos 0x0, ttl 64, id 6851, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.37842 > 10.20.77.150.1812: [|radius] out slot1/tmm2 lis=
0x0000: 00b8 0800 4500 002f 1ac3 4000 4011 057c ....E../..@.@..|
0x0010: 0ad3 b802 0a14 4d96 93d2 0714 001b 4ee0 ......M.......N.
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0200 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:00.607677 IP (tos 0x0, ttl 64, id 6851, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.47057 > 10.20.77.149.1812: [|radius] out slot1/tmm1 lis=
0x0000: 00b8 0800 4500 002f 1ac3 4000 4011 057d ....E../..@.@..}
0x0010: 0ad3 b802 0a14 4d95 b7d1 0714 001b 2ae2 ......M.......*.
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0100 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:01.910926 IP (tos 0x0, ttl 64, id 39729, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.32587 > 10.20.77.151.1812: [|radius] out slot1/tmm0 lis=
0x0000: 00b8 0800 4500 002f 9b31 4000 4011 850c ....E../.1@.@...
0x0010: 0ad3 b802 0a14 4d97 7f4b 0714 001b 6366 ......M..K....cf
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0000 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:02.716445 IP (tos 0x0, ttl 64, id 6852, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.20778 > 10.20.77.153.1812: [|radius] out slot1/tmm1 lis=
0x0000: 00b8 0800 4500 002f 1ac4 4000 4011 0578 ....E../..@.@..x
0x0010: 0ad3 b802 0a14 4d99 512a 0714 001b 9185 ......M.Q*......
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0100 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:03.719561 IP (tos 0x0, ttl 64, id 6852, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.35435 > 10.20.77.152.1812: [|radius] out slot1/tmm0 lis=
0x0000: 00b8 0800 4500 002f 1ac4 4000 4011 0579 ....E../..@.@..y
0x0010: 0ad3 b802 0a14 4d98 8a6b 0714 001b 5845 ......M..k....XE
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0000 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:04.622545 IP (tos 0x0, ttl 64, id 6852, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.37842 > 10.20.77.150.1812: [|radius] out slot1/tmm2 lis=
0x0000: 00b8 0800 4500 002f 1ac4 4000 4011 057b ....E../..@.@..{
0x0010: 0ad3 b802 0a14 4d96 93d2 0714 001b 4ee0 ......M.......N.
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0200 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:05.629497 IP (tos 0x0, ttl 64, id 6852, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.47057 > 10.20.77.149.1812: [|radius] out slot1/tmm1 lis=
0x0000: 00b8 0800 4500 002f 1ac4 4000 4011 057c ....E../..@.@..|
0x0010: 0ad3 b802 0a14 4d95 b7d1 0714 001b 2ae2 ......M.......*.
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0100 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:06.944141 IP (tos 0x0, ttl 64, id 44763, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.41335 > 10.20.77.151.1812: [|radius] out slot1/tmm3 lis=
0x0000: 00b8 0800 4500 002f aedb 4000 4011 7162 ....E../..@.@.qb
0x0010: 0ad3 b802 0a14 4d97 a177 0714 001b 413a ......M..w....A:
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0300 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:07.655453 IP (tos 0x0, ttl 64, id 6853, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.20778 > 10.20.77.153.1812: [|radius] out slot1/tmm1 lis=
0x0000: 00b8 0800 4500 002f 1ac5 4000 4011 0577 ....E../..@.@..w
0x0010: 0ad3 b802 0a14 4d99 512a 0714 001b 9185 ......M.Q*......
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0100 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:08.662119 IP (tos 0x0, ttl 64, id 6853, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.35435 > 10.20.77.152.1812: [|radius] out slot1/tmm0 lis=
0x0000: 00b8 0800 4500 002f 1ac5 4000 4011 0578 ....E../..@.@..x
0x0010: 0ad3 b802 0a14 4d98 8a6b 0714 001b 5845 ......M..k....XE
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0000 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 .........
13:55:09.564049 IP (tos 0x0, ttl 64, id 6853, offset 0, flags [DF], proto: UDP (17), length: 47) 10.211.184.2.37842 > 10.20.77.150.1812: [|radius] out slot1/tmm2 lis=
0x0000: 00b8 0800 4500 002f 1ac5 4000 4011 057a ....E../..@.@..z
0x0010: 0ad3 b802 0a14 4d96 93d2 0714 001b 4ee0 ......M.......N.
0x0020: 6465 6661 756c 7420 7365 6e64 2073 7472 default.send.str
0x0030: 696e 6701 1400 0000 0200 0000 0000 0000 ing.............
0x0040: 0000 0000 0000 0000 00 ......... - What_Lies_Bene1OK, this output would suggest the traffic is indeed leaving the BIG-IP and heading towards the Pool Members, just nothing is coming back.
I take it the 10.211.184.2 address is the device's Self IP and what's being used for SNAT. This address isn't on the same VLAN/subnet as the real servers so there must be some L3 routing involved here. That being the case I'd suggest you check any devices involved in routing the traffic each way (particularly back towards the F5). The route back to the SNAT address must go via the BIG-IP. Please also check the server's routing tables/configuration - this is the most likely location of the issue.
Either way, it's not the BIG-IP that's at fault here. 
Josh_AbaireFirst, I assume the serves work by themselves, right? If so, you could isolate the pool from the virtual by configuring the specific port and adding a radius monitor, with a username and password. This will test connectivity from the self IP to the servers. If the servers are UP and still failing through the VIP, then you have likely isolated the problem through the virtual. Test basic connectivity without the persistence to eliminate that. Use tcpdump constantly to understand what traffic is flowing where until the problem is found.
