topic Re: Cisco ISE 2.3 unable to detect Anyconnect posture agent in Network Access Control

Cisco ISE 2.3 unable to detect Anyconnect posture agent

f.arabi1991 — Sat, 28 Jul 2018 12:48:08 GMT

I deployed Cisco ISE 2.3 posture assessment,end user anyconnect is installed, everything in posture work fine but the problem is sometimes when user login , redirection to provisioning portal (for downloading anyconnect) occured and this massage appear : "Cisco ISE unable to detect Anyconnect posture agent" and user network access facing with problem , what can I do for solving this problem, Thanks

Re: Cisco ISE 2.3 unable to detect Anyconnect posture agent

hslai — Sat, 28 Jul 2018 16:48:39 GMT

As your issue happening sometimes, please open a Cisco TAC case, if not done so already. We need to analyze the states of the network device, ISE PSN, and AnyConnect ISE posture module together when such occurs. At very least, provide TAC with the DART support bundles taken from clients experiencing it and the approximate time points.

You might want to try the latest of AnyConnect 4.6 and see if it improves.

Re: Cisco ISE 2.3 unable to detect Anyconnect posture agent

f.arabi1991 — Mon, 30 Jul 2018 09:34:05 GMT

I will open TAC for sure, my deployment information is here:

Cisco ISE 2.3

AnyConnectDesktopWindows 4.5.2036.0

AnyConnectComplianceModuleWindows 4.3.122.0

I created 3 authorization profile in cisco ise : 1-compliant 2-non-compliant 3- unknown

access list on switch for redirection purpose (I use this access list in unknown authorization profile)

Extended IP access list ACL_REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host <cisco ise ip address>
40 permit tcp any any eq www
50 permit tcp any any eq 443
60 deny ip any any

unknown DACL:

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit ip any host <ise ip address>
deny ip any any

Non-compliant DACL:

deny ip any any

compliant DACL:

permit ip any any