CirrostratusRADIUS LB and port translation
I just discovered a concerning problem in the way that the LTM is handling some of our RADIUS traffic. I can see through a network trace that there are times when the LTM translates the source port of a RADIUS request on the internal VLAN. And on the internal side, everything looks fine. But when the response leaves the external VLAN, the LTM is not translating the source IP or source port. So when the RADIUS response packet arrives back at the client, it response with ICMP Port Unreachable and the RADIUS auth request fails.
To give you a visual idea of what's happening, here's what I see in the trace:
RADIUS Request (ext): client:32770->vip:1812
RADIUS Request (int): client:3046->PM:1812
RADIUS Response (int): PM:1812->client:3046
RADIUS Response (ext): PM:1812->client:3046 (wrong, should be vip:1812->client:32770)
Source Port translation on the VIP is set to "Preserve", and I have a UDP profile applied to the VIP which has datagram-load-balancing enabled (as discussed in a DevCentral load-balancing Cisco ISE thread).
This sequence happens only a very small percentage of the time, though the only time I see ICMP Port Unreachable packets is during this specific sequence of events. The first question I'm asking myself is why is the LTM translating the port at all? I thought it would only do this when the connection table is exhausted. But when I look for connections to the VIP in the connection table, it is always zero.
Any thoughts on why I am seeing this behavior?
