Hey everyone, Hoping everyone is having a peaceful start of the semester. Reaching out because we’re dealing with a doozy of a problem and hoping someone else may have dealt with this and can help.
We are running several pairs of Cisco 5520 controllers running 8.5.171 code. We have recently done a complete rebuild of our Clearpass environment split across two data centers and those are running 6.9.6. What we have found is that when sending traffic to this new cluster, some packets are greater than 1500 bytes and are getting fragmented in the environment. That would be all well and fine except our perimeter firewalls are active/active so in some cases, fragment 1 goes to FW-A and fragment 2 goes to FW-B. Palo alto will drop fragments if does not have all parts. So these fragments are getting dropped and thus the EAP exchange is timing out. 1. As far as I’ve gotten from Cisco, 5520 controllers do not support jumbo frames 2. There is no support from Cisco on specifying an EAP-TLS fragment size (unlike Aruba) 3. I cannot move all the controllers inside the data centers as there are some remote controllers as part of this environment. The only solution I can think of right now is to point the traffic to one firewall with policy routes with SLA tracking but that’s an administratively burdensome solution and frankly, kind of kludgy. Have any of you dealt with this sort of issue? Any thoughts on this would be appreciated. Thanks, Max ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
