topic Re: Multiple PSN posture sequence in Network Access Control

Multiple PSN posture sequence

wileong — Wed, 13 Jun 2018 06:53:55 GMT

Hi,

IHAC with 3 PSNs with NO LB in front. All 3 PSNs are load balanced based on aaa-server in switch and 3 group of switches with different priority order.

One of the PSN(PSN1) failed and upon RMA, some of the endpoints experienced posture failure. Based on the initial finding, switch has the following priority configured -> (PSN1, PSN2, PSN3).

During failure of PSN1, all endpoints move to PSN2 for posture assessment and upon recovering PSN1 some of the endpoints could not contact to any PSN.

Failed endpoint has AnyConnect connectiondata.xml with the sequence of (PSN2, PSN3, PSN1). Endpoint without issue has connectiondata.xml with the sequence of (PSN1, PSN2, PSN3).

Tried deleting connectiondata.xml and the sequence reflect correct sequence but endpoint still fail posture. Reinstalling AnyConnect solves the issue.

What is being cached in AnyConnect that we could revert the sequence after recovering PSN?

Thanks

Wing Churn

Re: Multiple PSN posture sequence

Nidhi — Wed, 13 Jun 2018 09:20:45 GMT

Connectiondata.xml has last PSN information and is created dynamically on the client.

you can make use of call home list feature in anyconnect profile.

more details can be found here - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-…

Thanks,

Nidhi

Re: Multiple PSN posture sequence

hslai — Thu, 14 Jun 2018 01:46:30 GMT

This needs the DART files during the failures submitted to Cisco TAC and investigate further. It should not need either deleting the connectiondata.xml file or re-installing AnyConnect.