cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
56512
Views
20
Helpful
22
Replies

AnyConnect and no policy server detected

dgaikwad
Level 5
Level 5

Hi Experts,

Test environment:

ISE 2.3 patch 3

HP Comware switch: Version 7.1.070, Release 3208P03

 

I am seeing this very weird behavior with AnyConnect.

We are using an ACL for posture redirection, so here when I have these two statements:

rule 135 deny tcp destination-port eq 443
rule 140 deny tcp destination-port eq www

AnyConnect says that, its failed to launch downloader

 

But when I change them to:
rule 135 permit tcp destination-port eq 443
rule 140 permit tcp destination-port eq www

AnyConnect says, no policy server detected

 

Any idea why this could be happening?

Following is the complete ACL:
[NAC-5130-2]display acl 3003
Advanced IPv4 ACL 3003, 29 rules,
ACL's step is 5, start ID is 0
rule 0 permit ip destination <ISE Server> 0
rule 5 permit udp destination-port eq dns
rule 10 permit udp source-port eq bootpc destination-port eq bootps
rule 15 permit udp source-port eq bootps destination-port eq bootpc
rule 20 permit tcp destination-port eq 2967
rule 25 permit tcp source-port eq 2967
rule 30 permit tcp destination-port eq 7070
rule 35 permit tcp source-port eq 7070
rule 40 permit ip destination <AV Server> 0
rule 45 permit tcp destination <AV Server> 0 destination-port eq 443
rule 50 permit tcp destination <AV Server> 0 destination-port eq www
rule 55 permit tcp destination <AV Server> 0 destination-port eq 443
rule 60 permit tcp destination <AV Server> 0 destination-port eq www
rule 65 permit tcp destination <AV Server> destination-port eq 443
rule 70 permit tcp destination <AV Server> destination-port eq www
rule 75 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 80 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 85 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 90 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 95 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 100 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 105 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 110 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 115 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 120 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 125 permit tcp destination <SCCM Server> 0 destination-port eq 443
rule 130 permit tcp destination <SCCM Server> 0 destination-port eq www
rule 135 deny tcp destination-port eq www
rule 140 deny tcp destination-port eq 443

22 Replies 22

Understood, just so long as the customer understands the issues they will see with this approach. In addition to the OS portal detection issue, they will probably also see Outlook certificate warning issues. As soon as the device is connected to the network Outlook tries to connect to the servers over HTTPs. If that is being redirected to the client provisioning page then Outlook will throw a certificate warning.


Thanks for the response.

Yes, the customer is aware of the implications and issues pertaining this use case.

 

There is this another issue I am seeing, I have opened a new thread for the same, where when the user clicks on download link for AnyConnect, a blank page is presented.

I checked for the page source and saw that there is nothing in the URL which sends for downloading AnyConnect client, as below:

Download URL code.jpg

Hi,

I working on same problem:

My DACL:

permit udp any any eq 53
permit udp any any eq bootps
permit tcp any host 10.71.0.1 eq 80
permit tcp any host 72.163.1.80 eq 80
permit tcp any host 10.70.0.100 eq 80
permit tcp any host 10.70.0.100 eq 443
permit tcp any host 10.70.0.100 eq 8443
permit tcp any host 10.70.0.100 eq 8905
deny ip any any

Whare 10.70.0.100 is Cisco ise PSN.

my Redirect ACL in NAD is :

ip access-list extended POSTURE
permit tcp any host 10.71.0.1 eq www
permit tcp any host 10.71.0.1 eq 443
permit tcp any host 10.70.0.1 eq www
permit tcp any host 10.70.0.1 eq 443
permit tcp any host 72.163.1.80 eq www
permit tcp any host 72.163.1.80 eq 443
deny ip any any

I dont have DNS for enroll.cisco.com because i dont uderstand who ip adress must to resolve ?

72.163.1.80 or PSN ?

Thank you !

Hi @Svetlin Simeonov 

 the REDIRECT ACL should look like:

 

Extended IP access list REDIRECT_POSTURE
10 deny ip any host <PSN>
20 deny udp any any eq domain
30 deny icmp any any
40 permit tcp any any eq www
50 permit tcp any any eq 443

 

Note: the enroll.cisco.com is the second probe of an HTTP GET /auth/discovery. This FQDN has to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com needs to be routed through the tunnel.

 

Hope this helps !!!

sajid231088
Level 1
Level 1

Hi,

 

Could you share Authorization Profile what you have configured ?

 

Also could you please try putting FQDN in the TAB which is below to Web Redirection.

One more thing you can try, copy complete URL which you will find at "Attribut Details" and put into your browser and check whether its redirecting or not, Please share the output.

 

Sajid

 

I have attached the authorization profile here.

I have not tested putting in the ISE FQDN in the tab, will test that and see if can get through.

When I copy and paste the URL in browser, I get a error 500 page.

Can you post your current posture redirect ACL that is configured on the switch in its entirety? 

hslai
Cisco Employee
Cisco Employee
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: