Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3683
Views
0
Helpful
1
Replies

F5 breaking EAP-TLS :- Fragmentation/Reassembly Issue

Go to solution
umahar
Cisco Employee
Cisco Employee

‎02-24-2017 09:13 AM

Hello,

We have an issue where F5 is breaking EAP-TLS and ISE throwing an error "Endpoint Abandoned EAP session"

From the packet capture and troubleshooting we found that packets with a higher payload containing contents of the actual certificate is being fragmented and it seems this fragmented packet is hitting the iRule before being reassembled.

There is a lot of reference made in the past to account for this reassembly but we still cannot find a way around this in F5 running a newer code of 12.1

Has anybody encountered this issue recently and found a way to resolve it ?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-24-2017 11:03 AM

Please see following link:

https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer

"It is not uncommon to see RADIUS load balancing issues with EAP-TLS related to fragmentation.  The typical cases are either 1) failure of load balancer to reassemble large RADIUS packets, for example, TLS with larger key sizes, or 2) dropping of fragments by load balancer that are deemed too small.  For first case, both Cisco ACE and F5 LTM should accommodate automatic reassembly if using the standard LB mechanism for RADIUS.  LTM does not reassemble FastL4 by default, but that protocol is normally not used and guide does not use that profile for RADIUS. If fragments too small, for both ACE and LTM you would need to change the default minimum fragment size to accept the exceptionally small fragment for reassembly.  This can serve as a workaround, but recommend find and eliminate the device causing RADIUS packets to be fragmented below reasonable size.

Another common issue in load balancing is failure to understand exact path taken for the entire flow to/from real servers. Often there is a case where ingress packets take one path but responses take another path.  This asymmetry often results in packet drops by load balancer or other device in the path."

View solution in original post

0 Helpful
1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-24-2017 11:03 AM

Please see following link:

https://supportforums.cisco.com/discussion/11363426/ise-behind-load-balancer

"It is not uncommon to see RADIUS load balancing issues with EAP-TLS related to fragmentation.  The typical cases are either 1) failure of load balancer to reassemble large RADIUS packets, for example, TLS with larger key sizes, or 2) dropping of fragments by load balancer that are deemed too small.  For first case, both Cisco ACE and F5 LTM should accommodate automatic reassembly if using the standard LB mechanism for RADIUS.  LTM does not reassemble FastL4 by default, but that protocol is normally not used and guide does not use that profile for RADIUS. If fragments too small, for both ACE and LTM you would need to change the default minimum fragment size to accept the exceptionally small fragment for reassembly.  This can serve as a workaround, but recommend find and eliminate the device causing RADIUS packets to be fragmented below reasonable size.

Another common issue in load balancing is failure to understand exact path taken for the entire flow to/from real servers. Often there is a case where ingress packets take one path but responses take another path.  This asymmetry often results in packet drops by load balancer or other device in the path."

0 Helpful
Customers Also Viewed These Support Documents