Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

Cisco ISE Load Balancing

Shripaty
Nimbostratus
Nimbostratus

‎06-Oct-2023 12:38

Hi , I am trying to load balance Auth and Accounting traffic from Cisco ISE. But I have my f5 implemented as f5 VE with a single interface dedicated for traffic and another for Mgmt. The issue is that my f5 Management IP lies in the same segment of Cisco ISE, even if I have declared the cisco ISE as the pool member I am not able to get the return traffic back from ISE , I can see the traffic is leaving f5 on interface 1.1 but I never see a reply from Cisco ISE. To resolve this issue , I tried a 443 vip for the same ISE nodes I was able to see the vip working for https traffic once I added a SNAT.

But after reading so many documents and recommendations I used SNAT for the same radius vip too. Even then also I am awaiting a reply packet from Cisco ISE.

Any help to complete this installation.

Mgmt IP of Box : 10.1.1.100 nd 10.1.1.101

Cisco ISE Nodes : 10.1.1.50 and 10.1.1.51  --. they are using the same vlan

Also the client cisco swithc is lying too in the same vlan of Mgmt.

The mgmt ip of BigIP is 10.1.1.100 and Cisco ISE is 10.1.1.50 and 10.1.1.51 and both are lying in the same segment which has bene tagged to my BigIP VE. I am using a separate segment for VIP which is 192.168.36.0/24 which is routed on a separate vlan and tagged to the same pair of VE. Now I tested this deployment where everything is reachable via ICMP still I am not getting a reply packet from ISE Servers;

 

Case 1 : when snat is enabled  --> HTTPS traffic works  but radius doesn't

Case2 : When SNAT is disabled none of the traffic is even leaving the box.

I have added the Self IP and floating as well as the Mgmt IP as allow device for Cisco ISE to allow the monitoring. So I am good with radius monitors for the same pair.

Its the Client traffic which is entering the LB is not getting a reply.

Labels:
0 Kudos
5 REPLIES 5

Paulius
MVP
MVP

‎06-Oct-2023 22:49

@Shripaty I believe what is happening is traffic is most likely wanting to leave the F5 management interface because it's in the same directly connected subnet as the Cisco ISE. I'm almost certain that the ISEs will have to exist in a different subnet that is not directly connected to the management interface on the F5s.

0 Kudos

Shripaty
Nimbostratus
Nimbostratus
In response to Paulius

‎10-Oct-2023 04:01

Hi , even I believed the same but what I found was when I add HTTPS vip using the same ISE pool members and adding a SNAT , traffic is working fine without any interruption. But when I add a SNAT in the radius vip I am not even getting a reject traffic back from ISE. So what I feel ISE is not even replying back to f5 as f5 is not the default gateway for ISE.

0 Kudos

F5_Design_Engineer
MVP
MVP

‎08-Oct-2023 20:08

@Shripaty ,

There a very wonderful Cisco ISE loadbalancing step by step guide available on Cisco Site, not sure if you have come across it or not, i would highly recomment you to please go though it if you have not used it before.

Excellent reference doumnet must be used for CISCO ISE load balancing using F5 ;

https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load...

Although the above ISE is way too old maybe 1.x and you are on 3.x as of now, but its worth checking.

 

HTH

🙏🙏

HaveahappydayYayGIF (2).gif

 

0 Kudos

Shripaty
Nimbostratus
Nimbostratus
In response to F5_Design_Engineer

‎10-Oct-2023 04:02

Hi,

 

Thanks, for the document , I did checked out those doucment but my implementation is a logical inline where f5 wants to act as a full proxy and since  Radius vip should not have any SNAT the traffic moving to ISE from client is not even reaching back to f5 resulting in drop as per the proxy rules

0 Kudos

PSFletchTheTek
MVP
MVP

‎09-Oct-2023 04:21

HI, 

From previous experiance BIG-IP really doesn't like having the MGMT interface and the TMM interfaces on the same subnet. So this may be your first issue.
It's also worth checking the self-ip protection settings to make sure you are allowing the traffic in to that interface.
Radius is UDP, so stateful firewalling wont be able to expect the traffic to be coming back in.

Also check your mgmt routing and the TMM routing.
The mgmt routing info can be found here: https://my.f5.com/manage/s/article/K15040 https://my.f5.com/manage/s/article/K13284 

What you may need to do is put a specific route on the Config utility to force the traffic to the ISE interface, this is independant to the management interface routing.
Can you get comms from the 10. network to the 192. network?

 

0 Kudos
Copyright © 2023 Khoros, LLC