https://community.cisco.com/t5/network-security/asa-coa-problem-with-ise/m-p/3744587#M9005 <P>Hi All,</P> <P>&nbsp;</P> <P>&nbsp;Apologies if this is&nbsp;in the wrong area, but it covers a few.</P> <P>&nbsp;</P> <P>I'm setting up RA VPN using Anyconnect client 4.6, ASA headends are 5545's running 9.9. I am also integrating ISE 2.4.<BR />The clients currently authenticate via certificate on the ASA, then with AD credentials via ISE, this all seems to work nicely. The problem comes when I try to set up posturing/compliance, I can get the posturing module to find the policy server, and redirect url for provisioning works, and also DACL is enforced whilst client is in an 'unknown compliance' authorisation profile. However when the client finishes successful compliancy scan and sends result to ISE, the ISE then sends a CoA request to the ASA for that particular session, as expected, but the ASA logs 'CoA (Action type 43) from 'ISE server ip' failed for user 'username', with session ID 'session id'. Action not supported.</P> <P>&nbsp;</P> <P>&nbsp;Wireshark shows it sending AVP subscriber:command=reauthentcicate, and coa-push+true amongst others.</P> <P>&nbsp;</P> <P>&nbsp;The Cisco docs say the log means the packet is correctly formed but the action is unsupported, I'm using the default Cisco device profile on ISE with CoA settings. If I send a CoA terminate session request from ISE, it is successful.</P> <P>&nbsp;</P> <P>&nbsp;I'm struggling to find any similar problem online and I don't have much experience with CoA, so I'm thinking I've maybe set something up wrong.</P> <P>&nbsp;</P> <P>&nbsp;Anyone got any ideas? Would be greatly appreciated.</P> Fri, 21 Feb 2020 16:27:39 GMT DAVIES604 2020-02-21T16:27:39Z https://community.cisco.com/t5/network-security/asa-coa-problem-with-ise/m-p/3744587#M9005 <P>Hi All,</P> <P>&nbsp;</P> <P>&nbsp;Apologies if this is&nbsp;in the wrong area, but it covers a few.</P> <P>&nbsp;</P> <P>I'm setting up RA VPN using Anyconnect client 4.6, ASA headends are 5545's running 9.9. I am also integrating ISE 2.4.<BR />The clients currently authenticate via certificate on the ASA, then with AD credentials via ISE, this all seems to work nicely. The problem comes when I try to set up posturing/compliance, I can get the posturing module to find the policy server, and redirect url for provisioning works, and also DACL is enforced whilst client is in an 'unknown compliance' authorisation profile. However when the client finishes successful compliancy scan and sends result to ISE, the ISE then sends a CoA request to the ASA for that particular session, as expected, but the ASA logs 'CoA (Action type 43) from 'ISE server ip' failed for user 'username', with session ID 'session id'. Action not supported.</P> <P>&nbsp;</P> <P>&nbsp;Wireshark shows it sending AVP subscriber:command=reauthentcicate, and coa-push+true amongst others.</P> <P>&nbsp;</P> <P>&nbsp;The Cisco docs say the log means the packet is correctly formed but the action is unsupported, I'm using the default Cisco device profile on ISE with CoA settings. If I send a CoA terminate session request from ISE, it is successful.</P> <P>&nbsp;</P> <P>&nbsp;I'm struggling to find any similar problem online and I don't have much experience with CoA, so I'm thinking I've maybe set something up wrong.</P> <P>&nbsp;</P> <P>&nbsp;Anyone got any ideas? Would be greatly appreciated.</P> Fri, 21 Feb 2020 16:27:39 GMT https://community.cisco.com/t5/network-security/asa-coa-problem-with-ise/m-p/3744587#M9005 DAVIES604 2020-02-21T16:27:39Z https://community.cisco.com/t5/network-security/asa-coa-problem-with-ise/m-p/5172420#M1115619 <DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><PRE>109104 error : CoA failed, Action not supported</PRE><P>usually occurs because that RADIUS server is in FAILED state in (another) AAA group on the ASA.</P><P>check <STRONG>show aaa-servers </STRONG>output</P></DIV></DIV></DIV></DIV></DIV> Fri, 06 Sep 2024 12:37:03 GMT https://community.cisco.com/t5/network-security/asa-coa-problem-with-ise/m-p/5172420#M1115619 networksi08690 2024-09-06T12:37:03Z https://community.cisco.com/t5/network-security/asa-coa-problem-with-ise/m-p/5172511#M1115621 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1112937">@networksi08690</a> the original post is 6 years old. I would hope they figured it out by now. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 06 Sep 2024 15:57:58 GMT https://community.cisco.com/t5/network-security/asa-coa-problem-with-ise/m-p/5172511#M1115621 Marvin Rhoads 2024-09-06T15:57:58Z