RADIUS not being NATed to VIP on reply path CSS1150
any help apprecitated on this one.
We have two CSS11503's configured to loadbalance RADIUS traffic amongst others to two backends (server A and B).
For sever A, it receives the AUTH (1812) and ACCT (1813), for server B it receives mostly AUTH and little ACCT.
However the crux of the problem is that when the RESP is sent out to the originating server, the reply comes from the REAL IP address and not the VIP address of the CSS. This causes issues with the firewall and the RESP is blocked.
This was working fine until about 2 days ago, when it stopped working. No config changes have been made and no network design as changed.
Here's a snip of flow trace_ip:
FEB 7 20:23:17 1/1 3062 FLOWMGR-4: UDP in 172.x.x.11:1812->x.x.193.250:1812
FEB 7 20:23:17 1/1 3063 FLOWMGR-4: UDP out 172.x.x.11:1812->x.x.193.2:1812
FEB 7 20:23:17 1/1 3062 FLOWMGR-4: UDP in x.x.193.2:1812->172.x.x.11:1812
FEB 7 20:23:17 1/1 3063 FLOWMGR-4: UDP out x.x.193.2:1812->172.x.x.11:1812
If someone has any ideas of whats going on, it would be really appreciated.
Re: RADIUS not being NATed to VIP on reply path CSS1150
wow, fast response. I don't have it as part of a NAT group, however my whole issue is that it was working fine without being in the NAT group, up until recently. Also the LB's are not roundrobin load sharing anymore. it's like the CSS has hit some bug. Anyhow, here is my config as an attachment.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...