02-15-2019 02:17 PM
Hello experts!
I have 3 users (that have reported the issue at least) that are periodically being blocked by NAC due to the Windows Firewall check failing. The Windows Firewall is in fact enabled and running because it's being managed by Group Policy and we can see the the Windows Firewall log continuously gets written to regardless of what NAC decides. The issue happens first thing in the morning for these laptop users and it happens when waking from sleep - a reboot fixes it. Two of the users it has only happened to once, and the other user says it's happened 3 times this week.
My questions are:
1. Any idea what's causing this? The firewall is clearly running, so why doesn't AnyConnect/ISE Posture think it is?
2. How exactly does the built-in ISE firewall check determine if a firewall is running or not? I can't seem to find any documentation on how AnyConnect/ISE decides if a Firewall is enabled/running.
I'm curious if I'm better off creating my own Firewall check policy to check for a service and/or registry entry to determine if the Firewall is on.
Thanks for the help!
mitch
Solved! Go to Solution.
03-05-2019 10:26 AM - edited 03-05-2019 10:30 AM
Upgrading the Compliance module as well as AnyConnect has resolved the issue for at least one of the users. I'm not sure if the AnyConnect upgrade was necessary, but I went ahead and did it as well. The issue was happening every time posture would run, and after the upgrades, it has not happened since.
FWIW - The issue was happening on AnyConnect v4.6.362 and Compliance 4.3.484.6144. Upgrading to AnyConnect v4.7.136.0 and Compliance 4.3.512.61 fixed the issue.
02-15-2019 07:41 PM
This looks like a bug but I am unable to locate any existing issue like this so I would suggest to gather a DART bundle each time it again happens and submit them to TAC to evaluate.
AnyConnect ISE posture is using a 3rd-party library to verify Windows firewall status.
02-15-2019 08:15 PM
Along with DART bundle. Please share exact time frame of the issue and also logs from below screenshot:
02-18-2019 05:21 AM
Thanks for the advice. I do have a TAC case open and am waiting to hear back. This is not the first time we've had issues with certain machines resuming from sleep with 802.1x/AnyConnect. Is it common knowledge that "sleep" doesn't play nicely with 802.1x/NAC? Are these just bugs? Any best practice recommendations for dealing with laptops resuming from sleep? That seems to be the only time we have issues. Thanks again!
03-05-2019 10:26 AM - edited 03-05-2019 10:30 AM
Upgrading the Compliance module as well as AnyConnect has resolved the issue for at least one of the users. I'm not sure if the AnyConnect upgrade was necessary, but I went ahead and did it as well. The issue was happening every time posture would run, and after the upgrades, it has not happened since.
FWIW - The issue was happening on AnyConnect v4.6.362 and Compliance 4.3.484.6144. Upgrading to AnyConnect v4.7.136.0 and Compliance 4.3.512.61 fixed the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide