cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

214
Views
0
Helpful
3
Replies

Posture fail when admin node is down

Hi,

 

I am running ISE 2.6 p1 in a distributed setup with separate Pri admin, Sec admin, Pri monitor, Sec montitor and a few PSN.

I have a wierd issue that then the PSN loose connection to the primary admin node then posture fail. Anyconnect stays on "Checking requirement 1 of 1" for a while and then gives me error "Posture failed due to server issues".

The only requirement I have is to check if the antimalware software is installed or not.

 

According to the documentation from Cisco the admin node should be able to fail without impacting posture. 

I can't figure out why the admin node is required to be online for posture to work. Do you have any idea?

 

Regards

Philip

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Posture fail when admin node is down

I suggest creating TAC SR to determine root cause. For that posture policy active PAN should not be needed.

3 REPLIES 3
Rising star

Re: Posture fail when admin node is down

Are your PANs configured for failover? If they are then if the primary goes down then the secondary should become the primary in X amount of time. If they are not I recommend enabling it and running a test where you basically halt services on PAN1, failover to PAN2, and run the posture test.
You could install and run DART on one of the workstations to gather more descriptive logs locally. Also, on the switch you could run some debugs:
debug aaa coa
debug radius
The default CoA port is udp 1700. Ensure that is not blocked. HTH!

Re: Posture fail when admin node is down

Hi,

 

I did some tests with failover. During the time of failover Posture does not work, but as son as PAN2 becomes Primary admin then Posture starts working.

If I cut the connection between PSN and both PANs then Posture stops working.

In the switch I can see that user authentication is successfull, but then nothing more happens.

The switch and PSN are on the same VLAN.

I have gathered DART logs, but I am unsure what too look for. At first glance I dont see anything special that can be wrong.

 

 

What I fail to understand is why PSN needs connection to PAN when the only thing I am doing is checking if AVG Antivirus is installed on the computer.

 

Regards

Philip

Highlighted
Cisco Employee

Re: Posture fail when admin node is down

I suggest creating TAC SR to determine root cause. For that posture policy active PAN should not be needed.