Forum Discussion

Juliano_Luz_479's avatar
Juliano_Luz_479
Icon for Nimbostratus rankNimbostratus
Mar 30, 2016

Problem with SNAT configuration

I´m trying to configure a SNAT for Cisco ISE Change Of Authorization (COA) . The goal is to have the virtual address from the load balance appearing as the source of all COA connections. This way I don´t need to add each policy server address to the NADs. I´m using LTM 11.0.0. I configured the SNAT as shown below:

ltm snatpool /Sisop-Linux/radius_coa_snat {
    members {
        /Sisop-Linux/172.10.10.10 /*address used as origin
    }
}


ltm virtual /Sisop-Linux/vs-isepsn-coa {
    destination /Common/0.0.0.0:1700
    ip-protocol udp
    mask any
    profiles {
        /Common/udp { }
    }
    snatpool /Sisop-Linux/radius_coa_snat 
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/v811-pool-net-services /*vlan where the police servers are located
    }
    vlans-enabled
}

The COA traffic never reaches the destination. A tcpdump on the balance shows that traffic is entering the "v811-pool-net-services" vlan but it doesn´t exit.

Can anyone help me?

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    What's the destination? Does it match a route? If there's no route found in the tmm routing table, it won't exit.