topic Re: Issue Downloadable ACL Identity Service Engine 2.4 in Network Access Control

Issue Downloadable ACL Identity Service Engine 2.4

Nadia Bbz — Thu, 04 Jun 2020 12:40:40 GMT

Dear Team;

i created Downloadable ACL in ise for a VLAN 10.50.30.0 /24

in this vlan we are able to ping gateway and servers , but not address ip 10.50.30.100 , the ping not working for any address in this vlan

first configuration

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit ip any host 10.50.30.254 (gateway)

permit ip any host 10.50.30.100
permit ip any host 192.168.16.30 (server)
permit ip any host 192.168.16.34 (server)

i changed the configuration

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit ip any host 10.50.30.254 (gateway)

permit ip any host 10.50.30.100
permit ip any host 192.168.16.30 (server)
permit ip any host 192.168.16.34 (server)

permit icmp any host 10.50.30.100 echo-reply
permit icmp any host 10.50.30.100 unreachable
permit icmp any host 10.50.30.100 time-exceeded

but the problem still persists

Re: Issue Downloadable ACL Identity Service Engine 2.4

Francesco Molino — Fri, 05 Jun 2020 04:06:15 GMT

Hi

Permit ip to 10.50.30.100 should be enough, no need to add the icmp ACEs.
Do you see the acl applied to the user session? Simple troubleshooting, do you see icmp leaving the switch and going towards your server?
Are you on this vlan while trying the ping?

Re: Issue Downloadable ACL Identity Service Engine 2.4

Anurag Sharma — Fri, 05 Jun 2020 13:31:06 GMT

Hi @Nadia Bbz ,

In addition to what @Francesco Molino said, start at the basic troubleshooting:

check if the DACL was downloaded and applied successfully:

show auth session interface Gi x/y detail

show ip access-list interface Gi x/y

If you are in the same VLAN, check if your machine has learn the ARP.

If you are not in the same VLAN, check if the traceroute is working.

Take capture on 10.50.30.100 and see if it's getting packets. Take capture on your machine to see if you are sending the packets correctly.

Re: Issue Downloadable ACL Identity Service Engine 2.4

hslai — Sun, 07 Jun 2020 16:29:40 GMT

Adding to the others. IP Device Tracking or SISF-Based Device Tracking needs working on your Cisco IOS-based switch for DACL to work.

Best to start troubleshooting by not using DACL at all and then PERMIT_ALL_IPV4_TRAFFIC (or another DACL that permit all access).

Re: Issue Downloadable ACL Identity Service Engine 2.4

Nadia Bbz — Mon, 08 Jun 2020 09:06:16 GMT

Hey @hslai @Anurag Sharma @Francesco Molino ;

Thanks for your help I greatly appreciate it.

yes ACL are applied to the user session

Result for troubleshooting

1/ tracert 10.50.30.100

Traceroute to WKS01.xx.xx [10.50.30.100], 30 hops max

1 * * * request timed out
2 * * * request timed out
3 * * * request timed out .
4 * * * request timed out.

2/ tracert 192.168.16.30

Traceroute to serv.xx.xx [192.168.16.30], 30 hops max

1 3 ms <1 ms <1 ms 10.50.30.254
2 <1 ms <1 ms <1 ms xx.xx.xx.xx
3 13 ms <1 ms <1 ms xx.xx.xx.xx
4 1 ms 1 ms 1 ms serv.xx.xx [192.168.16.30]

3/ arp -a

Interface : 10.50.30.101 --- 0x9
internet Address physique Type
10.50.30.100 xx-xx-xx-xx-xx-xx dynamic
10.50.30.254 xx-xx-xx-xx-xx-xx dynamic
10.50.30.255 xx-xx-xx-xx-xx-xx static
xx.xx.xx.xx xx-xx-xx-xx-xx-xx static
xx.xx.xx.xx xx-xx-xx-xx-xx-xx static
xx.xx.xx.xx xx-xx-xx-xx-xx-xx static
255.255.255.255 xx-xx-xx-xx-xx-xx static

when i type this command show auth session interface Gi x/y detail i see that the DACL is applied successfully
show ip access-list interface Gi x/y no result because ACL is created in ISE not in Switch

i created another DACL with PERMIT_ALL_TRAFFIC [ permit ip any any]

The ping work for any address in this Vlan

Re: Issue Downloadable ACL Identity Service Engine 2.4

Anurag Sharma — Mon, 08 Jun 2020 11:18:41 GMT

Hi @Nadia Bbz ,

arp -a

Interface : 10.50.30.101 --- 0x9
internet Address physique Type
10.50.30.100 xx-xx-xx-xx-xx-xx dynamic

The above output shows that we are able to learn the L2 address. The traceroute packets (ICMP) should have just gone to the server at 10.50.30.100 itself. I'd suggest you check the following two things:

Are you able to ping from the server 10.50.30.100 to your host 10.50.30.101?
Is there any sort of host firewall (Windows firewall, if it's Win) enabled on the server 10.50.30.100? Disable it and check.

Re: Issue Downloadable ACL Identity Service Engine 2.4

Francesco Molino — Wed, 10 Jun 2020 01:33:09 GMT

It’s working when you push a permit any so there shouldn’t be a firewall blocking on the server itself.
The dacl is pushed on your port, can you do a show access-list with the name you see in the show auth session output?
Also, while you have a permit any, can you do a traceroute to that ip?

Re: Issue Downloadable ACL Identity Service Engine 2.4

thomas — Fri, 12 Jun 2020 23:01:52 GMT

This sounds more like a routing/ACL issue than an ISE issue since ISE is applying the ACL successfully to the switch.

Suggest calling TAC to help you troubleshoot since the community suggestions have stopped.