cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
611
Views
0
Helpful
0
Replies

CSCvm68975 - ASA 9.8(2)38 ASA will not allow users to log in when ISE uses a DACL with more than 20 entries

Felix.Schwarz
Level 1
Level 1

Hi Guys,

 

I hope someone can help me here because with the TAC I do not have success right now. 

 

We are using DACL for special VPN Users and some of the dACLs have more than 1000 lines. All dACLs which have less than 60 rows are working. 

 

We have been investigating to see if ISE is passing the DACL to the ASA. The expected behavior is when ISE returns the result that includes the DACL the ASA will send an Access Request with the DACL name and then ISE will send the DACL in an Access Accept. We saw from the packet capture that due to the length of the DACL (1120 lines) it seems to be causing some trouble. Since ISE cannot send all of the DACL in one packet it sends the first 65 lines in an Access Challenge (instead of an Access Accept) and we do not get another response from the ASA. So, ISE only sends the first part and never sends the full DACL.


Upon further troubleshooting we were able to take a capture on ACS and we see the expected back and forth between ACS and the ASA.

Does anyone know which ASA version is working for this?
We are using ISE 2.3 with patches 1,2,3,4,5 and ASA5525 with version 9.6(4)20 at the moment.

Thank you

Felix

 

0 Replies 0