Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Cisco ISE Persist irule

Dan_Pacheco
Cirrus
Cirrus

‎17-May-2023 10:59

Good Day,
iRule “radius_callingid_persist_irule” is referenced in the Cisco’s How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP.
https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load...

According to the link: “This document is the result of a joint effort on behalf of Cisco and F5 to detail best practice design and configurations for deploying BIG-IP Local Traffic Manager with Cisco Identity Services Engine.” So presumably there are thousands of deployments using this configuration. I'm running v16.1.4.x and getting a ton of errors related to this irule.

May 15 04:11:01 slot1/LB err tmm[11966]: 01220001:3: TCL error: /hoc-caz/radius_callingid_persist_irule <CLIENT_DATA> - attempt to use empty persistence key (line 5) invoked from within "persist uie $nas_ip $persist_ttl"

The iRule is copy/pasted from the article with no customization. Does anyone else have this iRule implemented? If so, are you getting the same logs? If not, what version are you running? Any idea what the fix is?

 

Labels:
0 Kudos
1 REPLY 1

Enes_Afsin_Al
MVP
MVP

‎17-May-2023 14:29

Hi Dan_Pacheco,

I think if [RADIUS::avp 4 ip4] is empty, you may be encountered this error. Can you try adding catch or if statement before persist command?

when CLIENT_DATA {
	# 0: No Debug Logging  1: Debug Logging
	set debug 0

	# Persist timeout (seconds)
	set nas_port_type [RADIUS::avp 61 "integer"]
	if { $nas_port_type equals "19" } {
		set persist_ttl 3600
		if { $debug } {
			set access_media "Wireless"
		}
	}
	else {
		set persist_ttl 28800
		if { $debug } {
			set access_media "Wired"
		}
	}

	# If MAC address is present - use it as persistent identifier
	# See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
	if {[RADIUS::avp 31] ne "" } {
		set mac [RADIUS::avp 31 "string"]
		
		# Normalize MAC address to upper case
		set mac_up [string toupper $mac]
		persist uie $mac_up $persist_ttl	   
		if { $debug } {
			set target [persist lookup uie $mac_up] 
			log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target"
		}
	}
	else {
		set nas_ip [RADIUS::avp 4 ip4]
		if { $nas_ip ne ""} {
			persist uie $nas_ip $persist_ttl
			if { $debug } {
				set target [persist lookup uie $nas_ip]
				log local0.alert "No MAC Address found - Using NAS IP as persist id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
			}
		}
	}
}

In this state, persistence will not be applied if the [RADIUS::avp 4 ip4] value is empty.

Copyright © 2023 Khoros, LLC