https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4298513#M565760 <P>Are all of the module versions and configuration the same across the board? Have you attempted to uninstall/reinstall on the troubled client?</P> Fri, 26 Feb 2021 18:02:51 GMT Mike.Cifelli 2021-02-26T18:02:51Z https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4297715#M565715 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I have a pc that fails posture.&nbsp;</P><P>The condition it fails is firewall.&nbsp;</P><TABLE><TBODY><TR><TD><DIV class="ellipsis">Mandatory</DIV></TD><TD><DIV class="ellipsis">Failed</DIV></TD><TD><DIV class="ellipsis">fw_enabled_v4_fw_ANY_ANY_ANY</DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>On the pc though the fw is open</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FWEnabled1.png" style="width: 584px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/105173iD38A1D58EE1BB22C/image-size/large?v=v2&amp;px=999" role="button" title="FWEnabled1.png" alt="FWEnabled1.png" /></span></P><P>&nbsp;</P><P>From the DART I see errors like that</P><P>&nbsp;</P><PRE>2021/02/25 15:50:57 [Error] aciseagent Function: GetCurrentUserName Thread Id: 0xE10 File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libcommoncpp\impersonateuser.cpp Line: 34 Level: error Failed to find an active session.. 2021/02/25 15:50:57 [Error] aciseagent Function: GetCurrentUserName Thread Id: 0xE10 File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libcommoncpp\impersonateuser.cpp Line: 37 Level: error Failed to find session after enumerating each session.. 2021/02/25 15:50:57 [Warning] aciseagent Function: SwiftHttpRunner::timer_callback Thread Id: 0xE10 File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\libswift\swifthttprunner.cpp Line: 337 Level: warn Failed to obtain loggedIn user info, aborting discovery.. <BR />2021/02/25 16:15:29 [Error] nacapi Function: CNacApiShim::StatusNotification Thread Id: 0x146C File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\nacshim\nacshim.cpp Line: 232 Level: error StatusNotification invalid state. <BR />2021/02/25 16:15:29 [Error] nacapi Function: CNacApiShim::StatusNotification Thread Id: 0x146C File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\nacshim\nacshim.cpp Line: 232 Level: error StatusNotification invalid state. <BR />2021/02/25 16:15:29 [Error] nacapi Function: CNacApiShim::StatusNotification Thread Id: 0x146C File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\nacshim\nacshim.cpp Line: 232 Level: error StatusNotification invalid state. <BR />2021/02/25 16:15:29 [Error] nacapi Function: CNacApiShim::StatusNotification Thread Id: 0x146C File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\nacshim\nacshim.cpp Line: 232 Level: error StatusNotification invalid state. <BR />2021/02/25 16:36:37 [Error] nacapi Function: IpcWrap::_recv Thread Id: 0x146C File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\nacshim\ipcwrap.cpp Line: 106 Level: error Failed to read packet length: -6 - Connection Aborted. <BR />2021/02/25 16:36:37 [Error] nacapi Function: IpcWrap::_recvThread Thread Id: 0x146C File: c:\temp\build\thehoff\negasonic_mr30.550195061902\negasonic_mr3\posture\ise\nacshim\ipcwrap.cpp Line: 342 Level: error _recv returned: -6 - Connection Aborted. </PRE><P>What might be wrong?</P><P>&nbsp;</P><P>Thanks and regards,&nbsp;</P><P>Konstantinos</P> Thu, 25 Feb 2021 15:28:36 GMT https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4297715#M565715 kostasthedelegate 2021-02-25T15:28:36Z https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4297725#M565718 <P>In my experience those conditions can be tricky.&nbsp; Are you simply trying to ensure that clients have a local firewall enabled and running? If so, my suggestion would be to identify the target service within services and create a service condition.&nbsp; For example, here is a service condition that checks to ensure McAfee HIPS is running:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="svc_cond.PNG" style="width: 364px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/105175i8ABA98953E51F39F/image-size/medium?v=v2&amp;px=400" role="button" title="svc_cond.PNG" alt="svc_cond.PNG" /></span></P> <P>&nbsp;</P> <P>HTH!</P> Thu, 25 Feb 2021 15:37:17 GMT https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4297725#M565718 Mike.Cifelli 2021-02-25T15:37:17Z https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4298328#M565753 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>Actually the condition is working fine for the rest of the PCs, but there is this one that while the fw is enabled ISE show that the condition is not met.</P> Fri, 26 Feb 2021 12:45:09 GMT https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4298328#M565753 kostasthedelegate 2021-02-26T12:45:09Z https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4298513#M565760 <P>Are all of the module versions and configuration the same across the board? Have you attempted to uninstall/reinstall on the troubled client?</P> Fri, 26 Feb 2021 18:02:51 GMT https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4298513#M565760 Mike.Cifelli 2021-02-26T18:02:51Z https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4299168#M565792 <P>Hello Mike,&nbsp;</P><P>&nbsp;</P><P>The&nbsp;<SPAN>uninstall/reinstall did not change the result.</SPAN></P><P><SPAN>This machine is Windows 8 the others are windows 10</SPAN></P> Mon, 01 Mar 2021 06:11:14 GMT https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4299168#M565792 kostasthedelegate 2021-03-01T06:11:14Z https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4299536#M565815 <P>Are you running the same AC module &amp; compliance module versions on both the Win10 &amp; Win8 clients? For the Win8 would it be possible to utilize another check that would meet the firewall check requirement? IMO you have other options.&nbsp; However, your best bet may be to generate a DART bundle and engage with TAC.</P> Mon, 01 Mar 2021 19:47:44 GMT https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4299536#M565815 Mike.Cifelli 2021-03-01T19:47:44Z https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4299725#M565820 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>The modules are the same.&nbsp;</P><P>I will look into the different version of the rule.&nbsp;</P><P>I have uploaded the DART and the errors from AnyConnect_ISEPosture.txt, but i do not recognize if they are relevant.</P> Tue, 02 Mar 2021 06:11:20 GMT https://community.cisco.com/t5/network-access-control/non-compliant-pc-but-fw-enabled/m-p/4299725#M565820 kostasthedelegate 2021-03-02T06:11:20Z