Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
0
Helpful
4
Replies

Posture Windows Firewall Check Failing - Question on how it works

Go to solution
mitchell helton
Level 1
Level 1

‎02-15-2019 02:17 PM

Hello experts!

 

I have 3 users (that have reported the issue at least) that are periodically being blocked by NAC due to the Windows Firewall check failing.  The Windows Firewall is in fact enabled and running because it's being managed by Group Policy and we can see the the Windows Firewall log continuously gets written to regardless of what NAC decides.  The issue happens first thing in the morning for these laptop users and it happens when waking from sleep - a reboot fixes it.  Two of the users it has only happened to once, and the other user says it's happened 3 times this week.

 

My questions are:

1. Any idea what's causing this?  The firewall is clearly running, so why doesn't AnyConnect/ISE Posture think it is?

2. How exactly does the built-in ISE firewall check determine if a firewall is running or not?  I can't seem to find any documentation on how AnyConnect/ISE decides if a Firewall is enabled/running.

 

I'm curious if I'm better off creating my own Firewall check policy to check for a service and/or registry entry to determine if the Firewall is on.

 

Thanks for the help!

mitch

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mitchell helton
Level 1
Level 1
In response to mitchell helton

‎03-05-2019 10:26 AM - edited ‎03-05-2019 10:30 AM

Upgrading the Compliance module as well as AnyConnect has resolved the issue for at least one of the users.  I'm not sure if the AnyConnect upgrade was necessary, but I went ahead and did it as well.  The issue was happening every time posture would run, and after the upgrades, it has not happened since.

 

FWIW - The issue was happening on AnyConnect v4.6.362 and Compliance 4.3.484.6144.  Upgrading to AnyConnect  v4.7.136.0 and Compliance 4.3.512.61 fixed the issue.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-15-2019 07:41 PM

This looks like a bug but I am unable to locate any existing issue like this so I would suggest to gather a DART bundle each time it again happens and submit them to TAC to evaluate.

AnyConnect ISE posture is using a 3rd-party library to verify Windows firewall status.

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to hslai

‎02-15-2019 08:15 PM

Along with DART bundle. Please share exact time frame of the issue and also logs from below screenshot:

 

Posture.png

 

 

0 Helpful

Go to solution
mitchell helton
Level 1
Level 1
In response to pan

‎02-18-2019 05:21 AM

Thanks for the advice.  I do have a TAC case open and am waiting to hear back.  This is not the first time we've had issues with certain machines resuming from sleep with 802.1x/AnyConnect.  Is it common knowledge that "sleep" doesn't play nicely with 802.1x/NAC?  Are these just bugs?  Any best practice recommendations for dealing with laptops resuming from sleep?  That seems to be the only time we have issues.  Thanks again!

0 Helpful

Go to solution
mitchell helton
Level 1
Level 1
In response to mitchell helton

‎03-05-2019 10:26 AM - edited ‎03-05-2019 10:30 AM

Upgrading the Compliance module as well as AnyConnect has resolved the issue for at least one of the users.  I'm not sure if the AnyConnect upgrade was necessary, but I went ahead and did it as well.  The issue was happening every time posture would run, and after the upgrades, it has not happened since.

 

FWIW - The issue was happening on AnyConnect v4.6.362 and Compliance 4.3.484.6144.  Upgrading to AnyConnect  v4.7.136.0 and Compliance 4.3.512.61 fixed the issue.

0 Helpful
Customers Also Viewed These Support Documents