Solved: AnyConnect runs posture check twice

dgaikwad · ‎11-16-2019

Hi Experts,

We are moving away from NAC Agent to Cisco AnyConnect.

There is this weird behaviiour that we are seeing, the AnyConnect is running the posture check twice.
Once, when its in limited access and checks if the endpoint is compliant or not, then reports it as compliant.
So as per the policy a compliant endpoint should get production IP address through VLAN change, so it waits for the new IP address to be assigned, when its assigned the posture check happens again.

Ideally the post the reporting the endpoint as compliant the IP change should happen immediatly, which is not the case here
I have also tweaked the wait timers and DHCP releaes and renew timers from the client profile.

Has anyone seen this issue before? Or is it working as designed?

Surendra · ‎11-16-2019

Increase the network transition delay to 10-15 seconds depending on how much time it actually takes in the customer’s deployment for an IP address to be assigned after the VLAN change

View solution in original post

Surendra · ‎11-16-2019

Increase the network transition delay to 10-15 seconds depending on how much time it actually takes in the customer’s deployment for an IP address to be assigned after the VLAN change

dgaikwad · ‎11-24-2019

Yes, have increased it to 25 seconds and still there is no change in the posture running twice.
We are working with a TAC and he has captured LAN traffic from the endpoint, distribution server and DHCP server to further analyse it.

Will post an update soon.