topic Re: Posture fail when admin node is down in Network Access Control

Posture fail when admin node is down

Philip Vilhelmsson — Mon, 24 Jun 2019 09:52:11 GMT

Hi,

I am running ISE 2.6 p1 in a distributed setup with separate Pri admin, Sec admin, Pri monitor, Sec montitor and a few PSN.

I have a wierd issue that then the PSN loose connection to the primary admin node then posture fail. Anyconnect stays on "Checking requirement 1 of 1" for a while and then gives me error "Posture failed due to server issues".

The only requirement I have is to check if the antimalware software is installed or not.

According to the documentation from Cisco the admin node should be able to fail without impacting posture.

I can't figure out why the admin node is required to be online for posture to work. Do you have any idea?

Regards

Philip

Re: Posture fail when admin node is down

Mike.Cifelli — Mon, 24 Jun 2019 12:32:37 GMT

Are your PANs configured for failover? If they are then if the primary goes down then the secondary should become the primary in X amount of time. If they are not I recommend enabling it and running a test where you basically halt services on PAN1, failover to PAN2, and run the posture test.
You could install and run DART on one of the workstations to gather more descriptive logs locally. Also, on the switch you could run some debugs:
debug aaa coa
debug radius
The default CoA port is udp 1700. Ensure that is not blocked. HTH!

Re: Posture fail when admin node is down

Philip Vilhelmsson — Mon, 24 Jun 2019 14:29:44 GMT

Hi,

I did some tests with failover. During the time of failover Posture does not work, but as son as PAN2 becomes Primary admin then Posture starts working.

If I cut the connection between PSN and both PANs then Posture stops working.

In the switch I can see that user authentication is successfull, but then nothing more happens.

The switch and PSN are on the same VLAN.

I have gathered DART logs, but I am unsure what too look for. At first glance I dont see anything special that can be wrong.

What I fail to understand is why PSN needs connection to PAN when the only thing I am doing is checking if AVG Antivirus is installed on the computer.

Regards

Philip

Re: Posture fail when admin node is down

howon — Sat, 29 Jun 2019 07:26:05 GMT

I suggest creating TAC SR to determine root cause. For that posture policy active PAN should not be needed.

Re: Posture fail when admin node is down

jont717 — Wed, 25 Mar 2020 14:17:37 GMT

Any update on this? My 2.6 patch 5 is doing the exact same thing.

Every get it fixed?

Re: Posture fail when admin node is down

bravotom99 — Sun, 21 Feb 2021 00:48:33 GMT

Did you ever sort this out? we saw this recently during an upgrade to 2.6. Opened a TAC case but haven't specifically been told why it posture took a hit yet.

Re: Posture fail when admin node is down

Marcelo Morais — Sun, 21 Feb 2021 03:07:42 GMT

Hi @bravotom99

are you having Posture's issues when Primary PAN is shutdown, but Posture has no issues when Primary PAN has the Database Server state as running and the Application Server still in the initializing state?

PS.: check ISE's process state with show application status ise.

Hope this helps !!!