Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14553
Views
8
Helpful
5
Replies

No Policy Server Detected

Ali
Level 4
Level 4

‎05-04-2018 12:27 AM

Hello Community,

Running with ISE 2.1 with patch 5 and Any Connect 4.5

We are facing some issue on the random endpoints with No Policy Server Detected message in Any Connect and on ISE Live logs its showing Posture Unknown.

Endpoint are able to Ping ISE Server as well host name, also able to resolve enroll.cisco.com

Dot1x is is successfully happening for endpoint, redirection is also working, posture status is showing Pending under Live Session on ISE.

Does any thing i nee to look why Posture is not working ?

Appreciate your Inputs here.


2 people had this problem
5 Replies 5

Craig Hyps
Level 10
Level 10

‎05-04-2018 06:51 PM

With ISE 2.1, you must rely on URL redirect for client to discover PSN, and it needs to be the PSN that authenticated client.  One exception is the attempt to connect to previous PSN, but let's stick to new connection case.   Therefore, you Discovery Host or resolution of enroll.cisco.com must resolve to a target beyond the redirection point and be a routeable target.  If DH or enroll.cisco.com resolved to PSN, it will not work.

hslai
Cisco Employee
Cisco Employee

‎05-05-2018 01:24 AM

As you mentioned this issue happening randomly, please engage Cisco TAC to troubleshoot.

Ali
Level 4
Level 4

‎05-06-2018 03:32 AM

hslaichyps  Thanks for the Input

I have taken TAC Support.

More about the issue is, when user logged on one PC posture scan is working and getting Complaint status, when the same user is logging on different PC AnyConnect after scan showing No Policy Server Detected.


After packet capture, we found that AnyConnect reaches the ISE and ISE was redirecting the AnyConnect to port 8905. When AnyConnect goes to that port ISE was sending Reset, on ISE we confirmed the port was Open. This is something weird why ISE was giving Reset.

TAC Engineer gone through support bundle and found some bugs along with high load average and suggested either Reload the Server or Upgrade to Patch 7.

As Temporary workaround we reloaded the box and after reload the issue got resolved of NO Policy Server.

Is there anything we need to look to resolve the Reset instead of going for Patch 7.

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to Ali

‎05-06-2018 04:42 AM

Please take the tac advice as they are tasked with troubleshooting and resolving break fix issues

0 Helpful

Craig Hyps
Level 10
Level 10
In response to Ali

‎05-06-2018 02:06 PM

I suspect it is a case where posture request sent to PSN that was no longer owner.  If a specific defect flagged as being the fix, as we have added some logic to address such out of sync cases, then that would be the path to prevent future occurrences, else rely on ISE 2.2+ feature to provide Phase 2 discovery.

0 Helpful
Customers Also Viewed These Support Documents