https://community.cisco.com/t5/network-access-control/unable-to-get-session-from-session-cache/m-p/2153867#M132825 <P>Hi,</P><P></P><P>&nbsp; I have a working distributed deployment and only one user got into this problem today when rebooting his PC. The user and machine were authenticated successfully but the ISE remain the state on the POSTURE-REMEDIATION, with the NAC Agent running but not appearing. It has connectivity with the PSN but the SWISS packets (UDP 8905) are being sent to the gateway as destination instead of to the PSN IP address. The PSNs IP address also resides in the DiscoveryHost tag of NACAgentCFG.xml so the client should know where to go.</P><P></P><P>&nbsp; This is the failure reason:</P><P></P><P><IMG alt="Imágenes integradas 1" src="https://mail.google.com/mail/u/1/?ui=2&amp;ik=83bf07eda9&amp;view=att&amp;th=13dea51fc2b2225f&amp;attid=0.1&amp;disp=emb&amp;realattid=ii_13dea4bd09527ff1&amp;zw&amp;atsh=1" /></P><P></P><P>Any help?</P><P></P><P>Regards,</P> Mon, 11 Mar 2019 03:17:07 GMT Francisco de Asis Gomez Marin 2019-03-11T03:17:07Z https://community.cisco.com/t5/network-access-control/unable-to-get-session-from-session-cache/m-p/2153867#M132825 <P>Hi,</P><P></P><P>&nbsp; I have a working distributed deployment and only one user got into this problem today when rebooting his PC. The user and machine were authenticated successfully but the ISE remain the state on the POSTURE-REMEDIATION, with the NAC Agent running but not appearing. It has connectivity with the PSN but the SWISS packets (UDP 8905) are being sent to the gateway as destination instead of to the PSN IP address. The PSNs IP address also resides in the DiscoveryHost tag of NACAgentCFG.xml so the client should know where to go.</P><P></P><P>&nbsp; This is the failure reason:</P><P></P><P><IMG alt="Imágenes integradas 1" src="https://mail.google.com/mail/u/1/?ui=2&amp;ik=83bf07eda9&amp;view=att&amp;th=13dea51fc2b2225f&amp;attid=0.1&amp;disp=emb&amp;realattid=ii_13dea4bd09527ff1&amp;zw&amp;atsh=1" /></P><P></P><P>Any help?</P><P></P><P>Regards,</P> Mon, 11 Mar 2019 03:17:07 GMT https://community.cisco.com/t5/network-access-control/unable-to-get-session-from-session-cache/m-p/2153867#M132825 Francisco de Asis Gomez Marin 2019-03-11T03:17:07Z https://community.cisco.com/t5/network-access-control/unable-to-get-session-from-session-cache/m-p/2153868#M132890 <HTML><HEAD></HEAD><BODY><P>First you should ensure that the discovery host address on the&nbsp; Cisco NAC&nbsp; agent is pointing to the Cisco ISE FQDN. (Right-click the NAC&nbsp; agent&nbsp; icon, chooses Properties, and checks the discovery host.) Also&nbsp; check&nbsp; that the access switch allows Swiss communication between Cisco&nbsp; ISE and&nbsp; the end client machine. </P><P> Limited access ACL applied for the session should allow Swiss ports:</P><P> remark Allow DHCP</P><P> permit udp any eq bootpc any eq bootps</P><P> remark Allow DNS</P><P> permit udp any any eq domain</P><P> remark ping</P><P> permit icmp any any</P><P> permit tcp any host 80.0.80.2 eq 443 --&gt; for URL redirect</P><P> permit tcp any host 80.0.80.2 eq www --&gt; Provides access to internet</P><P> permit tcp any host 80.0.80.2 eq 8443 --&gt; for guest portal port</P><P> permit tcp any host 80.0.80.2 eq 8905 --&gt; for posture communication&nbsp;&nbsp; between NAC agent and ISE (Swiss ports)</P><P> permit udp any host 80.0.80.2 eq 8905 --&gt;for posture communication&nbsp;&nbsp; between NAC agent and ISE (Swiss ports)</P><P> deny ip any any</P><P></P><P> After doing this if the agent login dialog still does not appear, it&nbsp;&nbsp; could be a certificate issue. Please check t the certificate that is&nbsp;&nbsp; used for Swiss communication on the end client is in the Cisco ISE&nbsp;&nbsp; certificate trusted list. Also check that the default gateway is&nbsp;&nbsp; reachable from the client machine.</P></BODY></HTML> Tue, 09 Apr 2013 15:31:36 GMT https://community.cisco.com/t5/network-access-control/unable-to-get-session-from-session-cache/m-p/2153868#M132890 bhthapa 2013-04-09T15:31:36Z https://community.cisco.com/t5/network-access-control/unable-to-get-session-from-session-cache/m-p/2153869#M132936 <HTML><HEAD></HEAD><BODY><P>All of this conditions are fine since the rest of the users of the deployment are working without problems.</P></BODY></HTML> Tue, 09 Apr 2013 15:48:22 GMT https://community.cisco.com/t5/network-access-control/unable-to-get-session-from-session-cache/m-p/2153869#M132936 Francisco de Asis Gomez Marin 2013-04-09T15:48:22Z