https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/3174902#M56844 <P>Not using ACS, its all ISE/RADIUS now in this enviroment, but the dACL was originally imported from ACS. The dACL that ISE pushes to the ASA for the VPN session needs to use subnet mask format instead of wildcard format for dACL lines that reference networks.</P> Wed, 23 Aug 2017 20:36:28 GMT snicklas 2017-08-23T20:36:28Z https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/2780577#M56835 <P>Hi,</P> <P>We have a ISE 1.4 deployment in which we are doing posture assessment for VPN users connecting through ASA version 9.3(3). users are connecting normally , authentication and authorization are done succesffuly , however, when nac agent pops up anyconnect vpn client disconnects and the following message appears :</P> <P></P> <P>"</P> <P>The secure gateway has terminated the VPN connection.<BR />The following message was received from the secure gateway: COA initiated</P> <P>"</P> <P>How could we keep the CoA initiation from disconnecting VPN client.</P> <P></P> <P>Appreciate your help ,</P> <P></P> <P>Best Regards,</P> <P>Muayad Jallad,</P> <P></P> <P></P> <P></P> Mon, 11 Mar 2019 06:12:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/2780577#M56835 M.Jallad 2019-03-11T06:12:39Z https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/2780578#M56839 <P>Hi ,</P> <P>Just wanted to update that problem was resolved successfully , it was TACACS command authorization defined on ASA that was preventing the DACL from being configured on ASA which was triggering anyconnect VPN termination.</P> <P>it was resolved after configuring device administration autorization policy on ACS to give ISE authorization on ASA.</P> <P>Best Regards,</P> <P>Muayad Jallad,</P> <P></P> Tue, 03 Nov 2015 15:47:21 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/2780578#M56839 M.Jallad 2015-11-03T15:47:21Z https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/2780579#M56841 <P>Hello Muayad,</P> <P>May I ask if this has affected all or just one of your anyconnect users?</P> <P>I have a similar issue but just on one user.</P> <P>Any advice is greatly appreciated.</P> <P>Thank you.</P> <P></P> <P>Jem</P> Wed, 27 Apr 2016 10:56:38 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/2780579#M56841 santiago.jem 2016-04-27T10:56:38Z https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/3174902#M56844 <P>Not using ACS, its all ISE/RADIUS now in this enviroment, but the dACL was originally imported from ACS. The dACL that ISE pushes to the ASA for the VPN session needs to use subnet mask format instead of wildcard format for dACL lines that reference networks.</P> Wed, 23 Aug 2017 20:36:28 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-vpn-posture-with-asa/m-p/3174902#M56844 snicklas 2017-08-23T20:36:28Z