Cisco ISE Load Balancing
Hi , I am trying to load balance Auth and Accounting traffic from Cisco ISE. But I have my f5 implemented as f5 VE with a single interface dedicated for traffic and another for Mgmt. The issue is that my f5 Management IP lies in the same segment of Cisco ISE, even if I have declared the cisco ISE as the pool member I am not able to get the return traffic back from ISE , I can see the traffic is leaving f5 on interface 1.1 but I never see a reply from Cisco ISE. To resolve this issue , I tried a 443 vip for the same ISE nodes I was able to see the vip working for https traffic once I added a SNAT. But after reading so many documents and recommendations I used SNAT for the same radius vip too. Even then also I am awaiting a reply packet from Cisco ISE. Any help to complete this installation. Mgmt IP of Box : 10.1.1.100 nd 10.1.1.101 Cisco ISE Nodes : 10.1.1.50 and 10.1.1.51 --. they are using the same vlan Also the client cisco swithc is lying too in the same vlan of Mgmt. The mgmt ip of BigIP is 10.1.1.100 and Cisco ISE is 10.1.1.50 and 10.1.1.51 and both are lying in the same segment which has bene tagged to my BigIP VE. I am using a separate segment for VIP which is 192.168.36.0/24 which is routed on a separate vlan and tagged to the same pair of VE. Now I tested this deployment where everything is reachable via ICMP still I am not getting a reply packet from ISE Servers; Case 1 : when snat is enabled --> HTTPS traffic works but radius doesn't Case2 : When SNAT is disabled none of the traffic is even leaving the box. I have added the Self IP and floating as well as the Mgmt IP as allow device for Cisco ISE to allow the monitoring. So I am good with radius monitors for the same pair. Its the Client traffic which is entering the LB is not getting a reply.
SNAT 1:1 - Map client public IP to nat pool IP
I have a situation were we have a BIG IP F5 load balancer in front of a MS RRAS server acting as a VPN concentrator. When a user connects to the VPN the radius auth is proxied through a Cisco ISE instance to tie the user to an IP address, this allows us to create identity based firewall rules. The problem is at the moment RRAS is seeing all clients coming from the load balancer because we have SNAT enabled. In Cisco ISE you can only have one active session per endpoint ID and all users are comming through as the same endpoint ID (the load F5's internal SNAT address). So my question, it is possible to setup SNAT in a way that each client will come from a unique SNAT address from a SNAT pool?
Problem with SNAT configuration
I´m trying to configure a SNAT for Cisco ISE Change Of Authorization (COA) . The goal is to have the virtual address from the load balance appearing as the source of all COA connections. This way I don´t need to add each policy server address to the NADs. I´m using LTM 11.0.0. I configured the SNAT as shown below: ltm snatpool /Sisop-Linux/radius_coa_snat { members { /Sisop-Linux/172.10.10.10 /*address used as origin } } ltm virtual /Sisop-Linux/vs-isepsn-coa { destination /Common/0.0.0.0:1700 ip-protocol udp mask any profiles { /Common/udp { } } snatpool /Sisop-Linux/radius_coa_snat translate-address disabled translate-port disabled vlans { /Common/v811-pool-net-services /*vlan where the police servers are located } vlans-enabled } The COA traffic never reaches the destination. A tcpdump on the balance shows that traffic is entering the "v811-pool-net-services" vlan but it doesn´t exit. Can anyone help me?