Solved: Multiple PSN posture sequence

wileong · ‎06-12-2018

Hi,

IHAC with 3 PSNs with NO LB in front. All 3 PSNs are load balanced based on aaa-server in switch and 3 group of switches with different priority order.

One of the PSN(PSN1) failed and upon RMA, some of the endpoints experienced posture failure. Based on the initial finding, switch has the following priority configured -> (PSN1, PSN2, PSN3).

During failure of PSN1, all endpoints move to PSN2 for posture assessment and upon recovering PSN1 some of the endpoints could not contact to any PSN.

Failed endpoint has AnyConnect connectiondata.xml with the sequence of (PSN2, PSN3, PSN1). Endpoint without issue has connectiondata.xml with the sequence of (PSN1, PSN2, PSN3).

Tried deleting connectiondata.xml and the sequence reflect correct sequence but endpoint still fail posture. Reinstalling AnyConnect solves the issue.

What is being cached in AnyConnect that we could revert the sequence after recovering PSN?

Thanks

Wing Churn

hslai · ‎06-13-2018

This needs the DART files during the failures submitted to Cisco TAC and investigate further. It should not need either deleting the connectiondata.xml file or re-installing AnyConnect.

View solution in original post

Nidhi · ‎06-13-2018

Connectiondata.xml has last PSN information and is created dynamically on the client.

you can make use of call home list feature in anyconnect profile.

more details can be found here - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-…

Thanks,

Nidhi

hslai · ‎06-13-2018

This needs the DART files during the failures submitted to Cisco TAC and investigate further. It should not need either deleting the connectiondata.xml file or re-installing AnyConnect.